Remote Code Execution via Arbitrary File Manipulation in Logging Interface
A vulnerability in the Triton Inference Server allows arbitrary file creation or appending through the `/v2/logging` interface by specifying an absolute path in the `log_file` parameter. This issue, present in version r23.04, was patched in version 24.04. It enables attackers to execute arbitrary code by manipulating server files such as `root/.bashrc`.
Available publicly on May 18 2024 | Available with Premium on May 17 2024
Remediation Steps
- Ensure your Triton Inference Server is updated to version 24.04 or later.
- Restrict access to the Triton server's logging interface to trusted users only.
- Regularly audit and monitor log files for unexpected modifications or entries.
- Consider implementing additional input validation for the
log_fileparameter to prevent absolute path traversal. - Review and apply relevant security patches and updates promptly.
Patch Details
- Fixed Version: 24.04
- Patch Commit: https://github.com/triton-inference-server/server/commit/bf430f8589c82c57cc28e64be456c63a65ce7664
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.