Search criteria
3 vulnerabilities found for deep_java_library by djl
FKIE_CVE-2024-2914
Vulnerability from fkie_nvd - Published: 2024-06-06 18:15 - Updated: 2024-11-21 09:10
Severity
Summary
A TarSlip vulnerability exists in the deepjavalibrary/djl, affecting version 0.26.0 and fixed in version 0.27.0. This vulnerability allows an attacker to manipulate file paths within tar archives to overwrite arbitrary files on the target system. Exploitation of this vulnerability could lead to remote code execution, privilege escalation, data theft or manipulation, and denial of service. The vulnerability is due to improper validation of file paths during the extraction of tar files, as demonstrated in multiple occurrences within the library's codebase, including but not limited to the files_util.py and extract_imagenet.py scripts.
References
| URL | Tags | ||
|---|---|---|---|
| security@huntr.dev | https://github.com/deepjavalibrary/djl/commit/5235be508cec9e8cb6f496a4ed2fa40e4f62c370 | Patch | |
| security@huntr.dev | https://huntr.com/bounties/b064bd2f-bf6e-4fc0-898e-7d02a9b97e24 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/deepjavalibrary/djl/commit/5235be508cec9e8cb6f496a4ed2fa40e4f62c370 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.com/bounties/b064bd2f-bf6e-4fc0-898e-7d02a9b97e24 | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| djl | deep_java_library | 0.26.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:djl:deep_java_library:0.26.0:*:*:*:*:*:*:*",
"matchCriteriaId": "99799B59-3597-48CF-8D22-710F764A2D3D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A TarSlip vulnerability exists in the deepjavalibrary/djl, affecting version 0.26.0 and fixed in version 0.27.0. This vulnerability allows an attacker to manipulate file paths within tar archives to overwrite arbitrary files on the target system. Exploitation of this vulnerability could lead to remote code execution, privilege escalation, data theft or manipulation, and denial of service. The vulnerability is due to improper validation of file paths during the extraction of tar files, as demonstrated in multiple occurrences within the library\u0027s codebase, including but not limited to the files_util.py and extract_imagenet.py scripts."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad Tarslip en deepjavalibrary/djl, que afecta a la versi\u00f3n 0.26.0 y se corrigi\u00f3 en la versi\u00f3n 0.27.0. Esta vulnerabilidad permite a un atacante manipular rutas de archivos dentro de archivos tar para sobrescribir archivos arbitrarios en el sistema de destino. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda conducir a la ejecuci\u00f3n remota de c\u00f3digo, escalada de privilegios, robo o manipulaci\u00f3n de datos y denegaci\u00f3n de servicio. La vulnerabilidad se debe a una validaci\u00f3n inadecuada de las rutas de los archivos durante la extracci\u00f3n de archivos tar, como se demuestra en m\u00faltiples apariciones dentro del c\u00f3digo base de la librer\u00eda, incluidos, entre otros, los scripts files_util.py y extract_imagenet.py."
}
],
"id": "CVE-2024-2914",
"lastModified": "2024-11-21T09:10:49.543",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-06-06T18:15:13.227",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/deepjavalibrary/djl/commit/5235be508cec9e8cb6f496a4ed2fa40e4f62c370"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/b064bd2f-bf6e-4fc0-898e-7d02a9b97e24"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/deepjavalibrary/djl/commit/5235be508cec9e8cb6f496a4ed2fa40e4f62c370"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/b064bd2f-bf6e-4fc0-898e-7d02a9b97e24"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-29"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-2914 (GCVE-0-2024-2914)
Vulnerability from cvelistv5 – Published: 2024-06-06 17:55 – Updated: 2024-08-01 19:25
VLAI
Title
TarSlip Vulnerability in deepjavalibrary/djl
Summary
A TarSlip vulnerability exists in the deepjavalibrary/djl, affecting version 0.26.0 and fixed in version 0.27.0. This vulnerability allows an attacker to manipulate file paths within tar archives to overwrite arbitrary files on the target system. Exploitation of this vulnerability could lead to remote code execution, privilege escalation, data theft or manipulation, and denial of service. The vulnerability is due to improper validation of file paths during the extraction of tar files, as demonstrated in multiple occurrences within the library's codebase, including but not limited to the files_util.py and extract_imagenet.py scripts.
Severity
7.8 (High)
CWE
- CWE-29 - Path Traversal: '\..\filename'
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| deepjavalibrary | deepjavalibrary/djl |
Affected:
unspecified , < 0.27.0
(custom)
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:deepjavalibrary:djl:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "djl",
"vendor": "deepjavalibrary",
"versions": [
{
"lessThan": "0.27.0",
"status": "affected",
"version": "026.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2914",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-07T19:42:49.991428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T19:44:54.920Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:42.176Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/b064bd2f-bf6e-4fc0-898e-7d02a9b97e24"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/deepjavalibrary/djl/commit/5235be508cec9e8cb6f496a4ed2fa40e4f62c370"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "deepjavalibrary/djl",
"vendor": "deepjavalibrary",
"versions": [
{
"lessThan": "0.27.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A TarSlip vulnerability exists in the deepjavalibrary/djl, affecting version 0.26.0 and fixed in version 0.27.0. This vulnerability allows an attacker to manipulate file paths within tar archives to overwrite arbitrary files on the target system. Exploitation of this vulnerability could lead to remote code execution, privilege escalation, data theft or manipulation, and denial of service. The vulnerability is due to improper validation of file paths during the extraction of tar files, as demonstrated in multiple occurrences within the library\u0027s codebase, including but not limited to the files_util.py and extract_imagenet.py scripts."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-29",
"description": "CWE-29 Path Traversal: \u0027\\..\\filename\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T17:56:47.210Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/b064bd2f-bf6e-4fc0-898e-7d02a9b97e24"
},
{
"url": "https://github.com/deepjavalibrary/djl/commit/5235be508cec9e8cb6f496a4ed2fa40e4f62c370"
}
],
"source": {
"advisory": "b064bd2f-bf6e-4fc0-898e-7d02a9b97e24",
"discovery": "EXTERNAL"
},
"title": "TarSlip Vulnerability in deepjavalibrary/djl"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-2914",
"datePublished": "2024-06-06T17:55:55.145Z",
"dateReserved": "2024-03-26T14:05:08.782Z",
"dateUpdated": "2024-08-01T19:25:42.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2914 (GCVE-0-2024-2914)
Vulnerability from nvd – Published: 2024-06-06 17:55 – Updated: 2024-08-01 19:25
VLAI
Title
TarSlip Vulnerability in deepjavalibrary/djl
Summary
A TarSlip vulnerability exists in the deepjavalibrary/djl, affecting version 0.26.0 and fixed in version 0.27.0. This vulnerability allows an attacker to manipulate file paths within tar archives to overwrite arbitrary files on the target system. Exploitation of this vulnerability could lead to remote code execution, privilege escalation, data theft or manipulation, and denial of service. The vulnerability is due to improper validation of file paths during the extraction of tar files, as demonstrated in multiple occurrences within the library's codebase, including but not limited to the files_util.py and extract_imagenet.py scripts.
Severity
7.8 (High)
CWE
- CWE-29 - Path Traversal: '\..\filename'
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| deepjavalibrary | deepjavalibrary/djl |
Affected:
unspecified , < 0.27.0
(custom)
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:deepjavalibrary:djl:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "djl",
"vendor": "deepjavalibrary",
"versions": [
{
"lessThan": "0.27.0",
"status": "affected",
"version": "026.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2914",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-07T19:42:49.991428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T19:44:54.920Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:42.176Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/b064bd2f-bf6e-4fc0-898e-7d02a9b97e24"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/deepjavalibrary/djl/commit/5235be508cec9e8cb6f496a4ed2fa40e4f62c370"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "deepjavalibrary/djl",
"vendor": "deepjavalibrary",
"versions": [
{
"lessThan": "0.27.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A TarSlip vulnerability exists in the deepjavalibrary/djl, affecting version 0.26.0 and fixed in version 0.27.0. This vulnerability allows an attacker to manipulate file paths within tar archives to overwrite arbitrary files on the target system. Exploitation of this vulnerability could lead to remote code execution, privilege escalation, data theft or manipulation, and denial of service. The vulnerability is due to improper validation of file paths during the extraction of tar files, as demonstrated in multiple occurrences within the library\u0027s codebase, including but not limited to the files_util.py and extract_imagenet.py scripts."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-29",
"description": "CWE-29 Path Traversal: \u0027\\..\\filename\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T17:56:47.210Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/b064bd2f-bf6e-4fc0-898e-7d02a9b97e24"
},
{
"url": "https://github.com/deepjavalibrary/djl/commit/5235be508cec9e8cb6f496a4ed2fa40e4f62c370"
}
],
"source": {
"advisory": "b064bd2f-bf6e-4fc0-898e-7d02a9b97e24",
"discovery": "EXTERNAL"
},
"title": "TarSlip Vulnerability in deepjavalibrary/djl"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-2914",
"datePublished": "2024-06-06T17:55:55.145Z",
"dateReserved": "2024-03-26T14:05:08.782Z",
"dateUpdated": "2024-08-01T19:25:42.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}