Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
RCE via Property/Class Pollution in lightning-ai/pytorch-lightning
Vulnerability Description
A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer whitelist and contains dunder attributes. When processed, this can be exploited to access other modules, classes, and instances, leading to arbitrary attribute write and total RCE on any self-hosted pytorch-lightning application in its default configuration, as the delta endpoint is enabled by default.
CVSS Information
N/A
Vulnerability Type
CWE-915
Vulnerability Title
Pytorch-Lightning 安全漏洞
Vulnerability Description
Pytorch-Lightning是一个开源轻量级 PyTorch 包装器。用于高性能 Ai 研究。 Pytorch-Lightning 2.2.1版本存在安全漏洞,该漏洞源于对反序列化用户输入的处理不当和对dunder属性的管理不善,导致受到远程代码执行(RCE)攻击。
CVSS Information
N/A
Vulnerability Type
N/A