Critical

pytorch-lightning

Arbitrary File Write via /v1/runs API Endpoint

A vulnerability in version v2.2.4 of the software allows attackers to exploit path traversal in the /v1/runs API endpoint, leading to arbitrary file writes. This issue was patched in a subsequent release.

Available publicly on Jun 21 2024

9.1

CVE:

CVE-2024-5980

CWE:

434:Unrestricted Upload of File with Dangerous Type

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Credit:

zpbrent
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Update to the latest version of the software where the vulnerability is patched.
  • Ensure that the plugin server is not exposed to untrusted networks.
  • Implement additional validation and sanitization for file paths when extracting tar.gz files.
  • Regularly audit and monitor the file system for unauthorized changes.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.