Critical Severity

bentoml

Remote Code Execution via Insecure Deserialization in BentoML

BentoML version 1.2.2 is vulnerable to remote code execution (RCE) through insecure deserialization, allowing attackers to execute arbitrary code by sending a malicious POST request. This vulnerability was patched in version 1.2.5.

Available publicly on Apr 16 2024

9.8

CVE:

CVE-2024-2912

CWE:

1188:Insecure Default Initialization of Resource

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Credit:

pinkdraconian
AssessDetect

Available

Remediate
Remediation Steps
  • Update BentoML to version 1.2.5 or later.
  • Review and sanitize all input to services, especially those accepting serialized objects.
  • Implement additional security measures such as firewalls and intrusion detection systems to monitor and block malicious traffic.
  • Regularly audit and update dependencies to mitigate vulnerabilities.
Patch Details
  • Fixed Version: 1.2.5
  • Patch Commit: https://github.com/bentoml/bentoml/commit/fd70379733c57c6368cc022ac1f841b7b426db7b
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 291 related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon