Critical Severity

server

Remote Code Execution via Arbitrary File Manipulation in Logging Interface

A vulnerability in the Triton Inference Server allows arbitrary file creation or appending through the `/v2/logging` interface by specifying an absolute path in the `log_file` parameter. This issue, present in version r23.04, was patched in version 24.04. It enables attackers to execute arbitrary code by manipulating server files such as `root/.bashrc`.

Available publicly on May 18 2024

9

CVE:

CVE-2024-0087

CWE:

73:External Control of File Name or Path

CVSS:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H

Credit:

kirualawliet
AssessDetect

Premium

Remediate
Remediation Steps
  • Ensure your Triton Inference Server is updated to version 24.04 or later.
  • Restrict access to the Triton server's logging interface to trusted users only.
  • Regularly audit and monitor log files for unexpected modifications or entries.
  • Consider implementing additional input validation for the log_file parameter to prevent absolute path traversal.
  • Review and apply relevant security patches and updates promptly.
Patch Details
  • Fixed Version: 24.04
  • Patch Commit: https://github.com/triton-inference-server/server/commit/bf430f8589c82c57cc28e64be456c63a65ce7664
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon