cvelistv5 - cve-2022-0845

CVE-2022-0845 (GCVE-0-2022-0845)

Vulnerability from cvelistv5 – Published: 2022-03-05 21:25 – Updated: 2024-08-02 23:40

Summary

Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.

Severity ?

7.3 (High)


                        
                          CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

CWE

CWE-94 - Improper Control of Generation of Code

Assigner

@huntrdev

References

URL

Tags

	https://huntr.dev/bounties/a795bf93-c91e-4c79-aae…	x_refsource_CONFIRM
	https://github.com/pytorchlightning/pytorch-light…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	pytorchlightning	pytorchlightning/pytorch-lightning	Affected: unspecified , < 1.6.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:40:04.570Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pytorchlightning/pytorch-lightning",
          "vendor": "pytorchlightning",
          "versions": [
            {
              "lessThan": "1.6.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94 Improper Control of Generation of Code",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-05T21:25:09",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae"
        }
      ],
      "source": {
        "advisory": "a795bf93-c91e-4c79-aae8-f7d8bda92e2a",
        "discovery": "EXTERNAL"
      },
      "title": " Code Injection in pytorchlightning/pytorch-lightning",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-0845",
          "STATE": "PUBLIC",
          "TITLE": " Code Injection in pytorchlightning/pytorch-lightning"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "pytorchlightning/pytorch-lightning",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "1.6.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "pytorchlightning"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-94 Improper Control of Generation of Code"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a",
              "refsource": "CONFIRM",
              "url": "https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a"
            },
            {
              "name": "https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae",
              "refsource": "MISC",
              "url": "https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae"
            }
          ]
        },
        "source": {
          "advisory": "a795bf93-c91e-4c79-aae8-f7d8bda92e2a",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2022-0845",
    "datePublished": "2022-03-05T21:25:09",
    "dateReserved": "2022-03-03T00:00:00",
    "dateUpdated": "2024-08-02T23:40:04.570Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lightningai:pytorch_lightning:*:*:*:*:*:python:*:*\", \"versionEndExcluding\": \"1.6.0\", \"matchCriteriaId\": \"AAE83764-D0C2-42DA-8D8F-D0BA90E2FDF0\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.\"}, {\"lang\": \"es\", \"value\": \"Una Inyecci\\u00f3n de C\\u00f3digo en el repositorio de GitHub pytorchlightning/pytorch-lightning versiones anteriores a 1.6.0\"}]",
      "id": "CVE-2022-0845",
      "lastModified": "2024-11-21T06:39:30.760",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV30\": [{\"source\": \"security@huntr.dev\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.5}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:C/I:C/A:C\", \"baseScore\": 10.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-03-05T22:15:07.843",
      "references": "[{\"url\": \"https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae\", \"source\": \"security@huntr.dev\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a\", \"source\": \"security@huntr.dev\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security@huntr.dev",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@huntr.dev\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-94\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-94\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-0845\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2022-03-05T22:15:07.843\",\"lastModified\":\"2024-11-21T06:39:30.760\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.\"},{\"lang\":\"es\",\"value\":\"Una Inyecci\u00f3n de C\u00f3digo en el repositorio de GitHub pytorchlightning/pytorch-lightning versiones anteriores a 1.6.0\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.8,\"impactScore\":5.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":10.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lightningai:pytorch_lightning:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"1.6.0\",\"matchCriteriaId\":\"AAE83764-D0C2-42DA-8D8F-D0BA90E2FDF0\"}]}]}],\"references\":[{\"url\":\"https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae\",\"source\":\"security@huntr.dev\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a\",\"source\":\"security@huntr.dev\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}

CNVD-2022-23485

Vulnerability from cnvd - Published: 2022-03-29

Title

Pytorch-Lightning代码注入漏洞

Description

Pytorch-Lightning是一个开源轻量级 PyTorch 包装器。用于高性能 Ai 研究。 Pytorch-Lightning存在代码注入漏洞，攻击者可利用该漏洞向GitHub存储库中注入代码。

Severity

高

Patch Name

Pytorch-Lightning代码注入漏洞的补丁

Patch Description

Pytorch-Lightning是一个开源轻量级 PyTorch 包装器。用于高性能 Ai 研究。 Pytorch-Lightning存在代码注入漏洞，攻击者可利用该漏洞向GitHub存储库中注入代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae

Reference

https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a

Impacted products

Name
Pytorch-Lightning Pytorch-Lightning <1.6.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-0845"
    }
  },
  "description": "Pytorch-Lightning\u662f\u4e00\u4e2a\u5f00\u6e90\u8f7b\u91cf\u7ea7 PyTorch \u5305\u88c5\u5668\u3002\u7528\u4e8e\u9ad8\u6027\u80fd Ai \u7814\u7a76\u3002\n\nPytorch-Lightning\u5b58\u5728\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5411GitHub\u5b58\u50a8\u5e93\u4e2d\u6ce8\u5165\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-23485",
  "openTime": "2022-03-29",
  "patchDescription": "Pytorch-Lightning\u662f\u4e00\u4e2a\u5f00\u6e90\u8f7b\u91cf\u7ea7 PyTorch \u5305\u88c5\u5668\u3002\u7528\u4e8e\u9ad8\u6027\u80fd Ai \u7814\u7a76\u3002\r\n\r\nPytorch-Lightning\u5b58\u5728\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5411GitHub\u5b58\u50a8\u5e93\u4e2d\u6ce8\u5165\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Pytorch-Lightning\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Pytorch-Lightning Pytorch-Lightning \u003c1.6.0"
  },
  "referenceLink": "https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a",
  "serverity": "\u9ad8",
  "submitTime": "2022-03-08",
  "title": "Pytorch-Lightning\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e"
}

GHSA-R5QJ-CVF9-P85H

Vulnerability from github – Published: 2022-03-06 00:00 – Updated: 2024-10-25 20:49

Summary

Code Injection in PyTorch Lightning

Details

PyTorch Lightning version 1.5.10 and prior is vulnerable to code injection. An attacker could execute commands on the target OS running the operating system by setting the PL_TRAINER_GPUS when using the Trainer module. A patch is included in the 1.6.0 release.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pytorch-lightning"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0845"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-07T19:58:34Z",
    "nvd_published_at": "2022-03-05T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "PyTorch Lightning version 1.5.10 and prior is vulnerable to code injection. An attacker could execute commands on the target OS running the operating system by setting the `PL_TRAINER_GPUS` when using the `Trainer` module. A [patch](https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae) is included in the `1.6.0` release.",
  "id": "GHSA-r5qj-cvf9-p85h",
  "modified": "2024-10-25T20:49:59Z",
  "published": "2022-03-06T00:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0845"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PyTorchLightning/pytorch-lightning/pull/12212"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-r5qj-cvf9-p85h"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pytorch-lightning/PYSEC-2022-181.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pytorchlightning/pytorch-lightning"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Code Injection in PyTorch Lightning"
}

FKIE_CVE-2022-0845

Vulnerability from fkie_nvd - Published: 2022-03-05 22:15 - Updated: 2024-11-21 06:39

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.

References

URL	Tags
security@huntr.dev	https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae	Patch, Third Party Advisory
security@huntr.dev	https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a	Exploit, Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a	Exploit, Issue Tracking, Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	lightningai	pytorch_lightning	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:lightningai:pytorch_lightning:*:*:*:*:*:python:*:*",
              "matchCriteriaId": "AAE83764-D0C2-42DA-8D8F-D0BA90E2FDF0",
              "versionEndExcluding": "1.6.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0."
    },
    {
      "lang": "es",
      "value": "Una Inyecci\u00f3n de C\u00f3digo en el repositorio de GitHub pytorchlightning/pytorch-lightning versiones anteriores a 1.6.0"
    }
  ],
  "id": "CVE-2022-0845",
  "lastModified": "2024-11-21T06:39:30.760",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 10.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "LOW",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
          "version": "3.0"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.5,
        "source": "security@huntr.dev",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-03-05T22:15:07.843",
  "references": [
    {
      "source": "security@huntr.dev",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a"
    }
  ],
  "sourceIdentifier": "security@huntr.dev",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "security@huntr.dev",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

PYSEC-2022-181

Vulnerability from pysec - Published: 2022-03-05 22:15 - Updated: 2022-04-11 00:47

Details

Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.

Impacted products

Name	purl
pytorch-lightning	pkg:pypi/pytorch-lightning

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pytorch-lightning",
        "purl": "pkg:pypi/pytorch-lightning"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8b7a12c52e52a06408e9231647839ddb4665e8ae"
            }
          ],
          "repo": "https://github.com/pytorchlightning/pytorch-lightning",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.2",
        "0.10.0",
        "0.2",
        "0.2.2",
        "0.2.3",
        "0.2.4",
        "0.2.4.1",
        "0.2.5",
        "0.2.5.1",
        "0.2.5.2",
        "0.2.6",
        "0.3",
        "0.3.1",
        "0.3.2",
        "0.3.3",
        "0.3.4",
        "0.3.4.1",
        "0.3.5",
        "0.3.6",
        "0.3.6.1",
        "0.3.6.3",
        "0.3.6.4",
        "0.3.6.5",
        "0.3.6.6",
        "0.3.6.7",
        "0.3.6.8",
        "0.3.6.9",
        "0.4.0",
        "0.4.1",
        "0.4.2",
        "0.4.3",
        "0.4.4",
        "0.4.5",
        "0.4.6",
        "0.4.7",
        "0.4.8",
        "0.4.9",
        "0.5.0",
        "0.5.1",
        "0.5.1.2",
        "0.5.1.3",
        "0.5.2",
        "0.5.2.1",
        "0.5.3",
        "0.5.3.1",
        "0.5.3.2",
        "0.5.3.3",
        "0.6.0",
        "0.7.1",
        "0.7.3",
        "0.7.5",
        "0.7.6",
        "0.8.1",
        "0.8.3",
        "0.8.4",
        "0.8.5",
        "0.9.0",
        "1.0.0",
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.0.5",
        "1.0.6",
        "1.0.7",
        "1.0.8",
        "1.1.0",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.1.5",
        "1.1.6",
        "1.1.7",
        "1.1.8",
        "1.2.0",
        "1.2.0rc0",
        "1.2.0rc1",
        "1.2.0rc2",
        "1.2.1",
        "1.2.10",
        "1.2.2",
        "1.2.3",
        "1.2.4",
        "1.2.5",
        "1.2.6",
        "1.2.7",
        "1.2.8",
        "1.2.9",
        "1.3.0",
        "1.3.0rc1",
        "1.3.0rc2",
        "1.3.0rc3",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.3.4",
        "1.3.5",
        "1.3.6",
        "1.3.7",
        "1.3.7.post0",
        "1.3.8",
        "1.4.0",
        "1.4.0rc0",
        "1.4.0rc1",
        "1.4.0rc2",
        "1.4.1",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.4.6",
        "1.4.7",
        "1.4.8",
        "1.4.9",
        "1.5.0",
        "1.5.0rc0",
        "1.5.0rc1",
        "1.5.1",
        "1.5.10",
        "1.5.2",
        "1.5.3",
        "1.5.4",
        "1.5.5",
        "1.5.6",
        "1.5.7",
        "1.5.8",
        "1.5.9",
        "1.6.0rc0",
        "1.6.0rc1"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0845",
    "GHSA-r5qj-cvf9-p85h"
  ],
  "details": "Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.",
  "id": "PYSEC-2022-181",
  "modified": "2022-04-11T00:47:32.240193Z",
  "published": "2022-03-05T22:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a"
    },
    {
      "type": "FIX",
      "url": "https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-r5qj-cvf9-p85h"
    }
  ]
}

GSD-2022-0845

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.

Aliases

CVE-2022-0845

Aliases

CVE-2022-0845

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-0845",
    "description": "Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.",
    "id": "GSD-2022-0845"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-0845"
      ],
      "details": "Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.",
      "id": "GSD-2022-0845",
      "modified": "2023-12-13T01:19:11.866282Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@huntr.dev",
        "ID": "CVE-2022-0845",
        "STATE": "PUBLIC",
        "TITLE": " Code Injection in pytorchlightning/pytorch-lightning"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "pytorchlightning/pytorch-lightning",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "1.6.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "pytorchlightning"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "LOW",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-94 Improper Control of Generation of Code"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a",
            "refsource": "CONFIRM",
            "url": "https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a"
          },
          {
            "name": "https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae",
            "refsource": "MISC",
            "url": "https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae"
          }
        ]
      },
      "source": {
        "advisory": "a795bf93-c91e-4c79-aae8-f7d8bda92e2a",
        "discovery": "EXTERNAL"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.6.0",
          "affected_versions": "All versions before 1.6.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937",
            "CWE-94"
          ],
          "date": "2022-03-10",
          "description": "Code Injection in GitHub repository pytorchlightning/pytorch-lightning.",
          "fixed_versions": [],
          "identifier": "CVE-2022-0845",
          "identifiers": [
            "CVE-2022-0845",
            "GHSA-r5qj-cvf9-p85h"
          ],
          "not_impacted": "",
          "package_slug": "pypi/pytorch-lightning",
          "pubdate": "2022-03-05",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Code Injection in PyTorch Lightning",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-0845",
            "https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae",
            "https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a",
            "https://github.com/PyTorchLightning/pytorch-lightning/pull/12212",
            "https://github.com/advisories/GHSA-r5qj-cvf9-p85h"
          ],
          "uuid": "4f39f7b5-4b49-40c7-918c-5e6c56e7cc64"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:pytorchlightning:pytorch_lightning:*:*:*:*:*:python:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.6.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-0845"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-94"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Issue Tracking",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a"
            },
            {
              "name": "https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-03-10T22:00Z",
      "publishedDate": "2022-03-05T22:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-0845 (GCVE-0-2022-0845)

CNVD-2022-23485

GHSA-R5QJ-CVF9-P85H

FKIE_CVE-2022-0845

PYSEC-2022-181

GSD-2022-0845

Tags

Sightings

Nomenclature