CVE-2018-1281

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2018-1281
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1281.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-1281
Published
2018-06-08T19:29:00Z
Modified
2024-09-03T02:04:28.046579Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

The clustered setup of Apache MXNet allows users to specify which IP address and port the scheduler will listen on via the DMLCPSROOTURI and DMLCPSROOTPORT env variables. In versions older than 1.0.0, however, the MXNet framework will listen on 0.0.0.0 rather than user specified DMLCPSROOT_URI once a scheduler node is initialized. This exposes the instance running MXNet to any attackers reachable via the interface they didn't expect to be listening on. For example: If a user wants to run a clustered setup locally, they may specify to run on 127.0.0.1. But since MXNet will listen on 0.0.0.0, it makes the port accessible on all network interfaces.

References

Affected packages

Git / github.com/apache/incubator-mxnet

Affected ranges

Type
GIT
Repo
https://github.com/apache/incubator-mxnet
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
GIT
Repo
https://github.com/dmlc/ps-lite
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.10.0
v0.7.0
v0.8.0
v0.9.1
v0.9.2
v0.9.3
v0.9.5

Other

v1