Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Using MLeap for loading a saved model (zip archive) can lead to path traversal/arbitrary file creation and possibly remote code execution.
Vulnerability Description
FileUtil.extract() enumerates all zip file entries and extracts each file without validating whether file paths in the archive are outside the intended directory. When creating an instance of TensorflowModel using the saved_model format and an exported tensorflow model, the apply() function invokes the vulnerable implementation of FileUtil.extract(). Arbitrary file creation can directly lead to code execution
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
MLeap 安全漏洞
Vulnerability Description
MLeap是机器学习管道的通用序列化格式和执行引擎。 MLeap 存在安全漏洞,该漏洞源于不验证存档中的文件路径是否位于预期目录之外,任意文件创建可直接导致代码执行。
CVSS Information
N/A
Vulnerability Type
N/A