CVE-2024-10190
- Source
- https://cve.org/CVERecord?id=CVE-2024-10190
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-10190.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-10190
- Aliases
- Published
- 2025-03-20T10:15:15.117Z
- Modified
- 2025-12-13T04:56:16.094157Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Horovod versions up to and including v0.28.1 are vulnerable to unauthenticated remote code execution. The vulnerability is due to improper handling of base64-encoded data in the
ElasticRendezvousHandler, a subclass ofKVStoreHandler. Specifically, the_put_valuemethod inElasticRendezvousHandlercallscodec.loads_base64(value), which eventually invokescloudpickle.loads(decoded). This allows an attacker to send a malicious pickle object via a PUT request, leading to arbitrary code execution on the server. - References
Affected packages
Git / github.com/horovod/horovod
Affected ranges
- Type
- GIT
- Repo
- https://github.com/horovod/horovod
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
Affected versions
v0.*
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.12.0
v0.12.1
v0.13.0
v0.13.1
v0.13.10
v0.13.11
v0.13.2
v0.13.3
v0.13.4
v0.13.5
v0.13.6
v0.13.7
v0.13.8
v0.14.0
v0.14.1
v0.15.0
v0.15.1
v0.15.2
v0.16.0
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17.0
v0.17.0.post1
v0.17.1
v0.18.0
v0.18.1
v0.18.2
v0.19.0
v0.19.1
v0.19.2
v0.20.0
v0.20.1
v0.20.2
v0.20.3
v0.21.0
v0.21.1
v0.21.2
v0.21.3
v0.22.0
v0.22.1
v0.23.0
v0.24.0
v0.24.1
v0.25.0
v0.26.0
v0.26.1
v0.27.0
v0.28.1
v0.9.0
v0.9.1
v0.9.10
v0.9.11
v0.9.12
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9