Medium Severity

neural-compressor

Sensitive Information Disclosure Due to Weak Permissions in a Short Time Window

A vulnerability in the Intel Neural Compressor's configuration handling could lead to sensitive information disclosure due to a TOCTOU (Time-of-Check Time-of-Use) race condition. The issue, present in the master version, was patched in version 2.5.0. It arises from writing sensitive information to a file before adjusting its permissions, creating a window where the data could be accessed unauthorizedly.

Available publicly on May 15 2024

4.7

CVE:

CVE-2024-21792

CWE:

367:Time-of-check Time-of-use (TOCTOU) Race Condition

CVSS:

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Credit:

lujiefsi
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Update to Intel Neural Compressor version 2.5.0 or later.
  • Review and monitor file system security policies to prevent unauthorized access.
  • Consider implementing atomic operations for file write and permission change to eliminate the TOCTOU vulnerability window.
  • Regularly audit and test for race condition vulnerabilities in software handling sensitive information.
Patch Details
  • Fixed Version: 2.5.0
  • Patch Commit: https://github.com/intel/neural-compressor/commit/24419c9044fe227ea806db370c1a30272d026f8a
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 291 related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon