Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unauthenticated Remote Code Execution in ElasticRendezvousHandler in horovod/horovod
Vulnerability Description
Horovod versions up to and including v0.28.1 are vulnerable to unauthenticated remote code execution. The vulnerability is due to improper handling of base64-encoded data in the `ElasticRendezvousHandler`, a subclass of `KVStoreHandler`. Specifically, the `_put_value` method in `ElasticRendezvousHandler` calls `codec.loads_base64(value)`, which eventually invokes `cloudpickle.loads(decoded)`. This allows an attacker to send a malicious pickle object via a PUT request, leading to arbitrary code execution on the server.
CVSS Information
N/A
Vulnerability Type
可信数据的反序列化
Vulnerability Title
Horovod 命令注入漏洞
Vulnerability Description
Horovod是Horovod开源的一个 TensorFlow、Keras、PyTorc h和 Apache MXNet 的分布式训练框架。 Horovod v0.28.1及之前版本存在命令注入漏洞,该漏洞源于ElasticRendezvousHandler对base64编码数据处理不当,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A