Arbitrary File Overwrite & RCE via Tarfile Path Traversal
A vulnerability in DJL version 0.27.0 allows for arbitrary file overwrite and potential remote code execution via tarfile path traversal. This issue was patched in version 0.28.0.
Available publicly on Sep 30 2024
Remediation Steps
- Upgrade to DJL version 0.28.0 or later.
- Ensure that tarfile processing functions properly validate and sanitize file paths to prevent absolute path traversals.
- Review and monitor systems for any unauthorized changes or access that may have occurred due to this vulnerability.
Patch Details
- Fixed Version: 0.28.0
- Patch Commit: https://github.com/deepjavalibrary/djl/commit/f0e4e0cb01da614f7c3a9ba349536e7923fa8813
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.