OS Command Injection Vulnerability in Auto Tuner Pruning Function
An OS Command Injection vulnerability was identified in the prune_by_memory_estimation function of the paddle.distributed.auto_tuner.prune module in PaddlePaddle version 2.6.0. This issue was patched in commit bd70057f653261ac79ff1e7801192839ee92f61e.
Available publicly on Apr 22 2024 | Available with Premium on Jan 30 2024
Remediation Steps
- Update to the patched version of PaddlePaddle as identified by the commit bd70057f653261ac79ff1e7801192839ee92f61e.
- Avoid using untrusted input in the construction of OS commands. Consider using parameterized queries or other forms of input validation and sanitization.
- Employ the principle of least privilege by running processes with the minimum permissions necessary, reducing the potential impact of such vulnerabilities.
- Regularly audit and review code for potential injection vulnerabilities, adopting secure coding practices.
Patch Details
- Fixed Version: bd70057f653261ac79ff1e7801192839ee92f61e
- Patch Commit: https://github.com/paddlepaddle/paddle/commit/bd70057f653261ac79ff1e7801192839ee92f61e
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.