Critical Severity
bentoml
Remote Code Execution via Insecure Deserialization in BentoML
BentoML version 1.2.2 is vulnerable to remote code execution (RCE) through insecure deserialization, allowing attackers to execute arbitrary code by sending a malicious POST request. This vulnerability was patched in version 1.2.5.
Available publicly on Apr 16 2024 | Available with Premium on Mar 25 2024
Remediation Steps
- Update BentoML to version 1.2.5 or later.
- Review and sanitize all input to services, especially those accepting serialized objects.
- Implement additional security measures such as firewalls and intrusion detection systems to monitor and block malicious traffic.
- Regularly audit and update dependencies to mitigate vulnerabilities.
Patch Details
- Fixed Version: 1.2.5
- Patch Commit: https://github.com/bentoml/bentoml/commit/fd70379733c57c6368cc022ac1f841b7b426db7b
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have 291 related security advisories that are available with Sightline Premium.