Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Arbitrary Code Execution in feast-dev/feast
Vulnerability Description
A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises from the use of `yaml.load(..., Loader=yaml.Loader)` to deserialize `/var/feast/feature_store.yaml` and `/var/feast/materialization_config.yaml`. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability to modify these YAML files to execute OS commands on the worker pod. This vulnerability can be exploited before the configuration is validated, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage.
CVSS Information
N/A
Vulnerability Type
可信数据的反序列化
Vulnerability Title
feast 代码问题漏洞
Vulnerability Description
feast是Feast开源的一个 AI/ML 开源功能库。 feast 0.53.0版本存在代码问题漏洞,该漏洞源于YAML反序列化不当,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A