漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
KTransformers Unsafe Deserialization RCE via balance_serve
Vulnerability Description
KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads() without validation. Attackers can send a crafted pickle payload to the exposed ZMQ socket to execute arbitrary code on the server with the privileges of the ktransformers process.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
可信数据的反序列化
Vulnerability Title
ktransformers 代码问题漏洞
Vulnerability Description
ktransformers是kvcache.ai开源的一个CPU-GPU异构大模型推理与微调框架。 KTransformers 0.5.3及之前版本存在代码问题漏洞,该漏洞源于balance_serve后端模式中的不安全反序列化,其中调度器RPC服务器将ZMQ ROUTER套接字绑定到所有接口且无身份验证,并使用pickle.loads()反序列化传入消息,允许攻击者发送特制pickle有效载荷执行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A