Remote Code Execution via Insecure Deserialization in BentoML
BentoML version 1.2.2 is vulnerable to remote code execution (RCE) through insecure deserialization, allowing attackers to execute arbitrary code by sending a malicious POST request. This vulnerability was patched in version 1.2.5.
Available publicly on Apr 16 2024 | Available with Premium on Mar 25 2024
Remediation Steps
- Update BentoML to version 1.2.5 or later.
- Review and sanitize all input to services, especially those accepting serialized objects.
- Implement additional security measures such as firewalls and intrusion detection systems to monitor and block malicious traffic.
- Regularly audit and update dependencies to mitigate vulnerabilities.
Patch Details
- Fixed Version: 1.2.5
- Patch Commit: https://github.com/bentoml/bentoml/commit/fd70379733c57c6368cc022ac1f841b7b426db7b
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.