CVE-2024-2914

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-2914
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-2914.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-2914
Published
2024-06-06T18:15:13.227Z
Modified
2026-04-10T05:12:08.072871Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A TarSlip vulnerability exists in the deepjavalibrary/djl, affecting version 0.26.0 and fixed in version 0.27.0. This vulnerability allows an attacker to manipulate file paths within tar archives to overwrite arbitrary files on the target system. Exploitation of this vulnerability could lead to remote code execution, privilege escalation, data theft or manipulation, and denial of service. The vulnerability is due to improper validation of file paths during the extraction of tar files, as demonstrated in multiple occurrences within the library's codebase, including but not limited to the filesutil.py and extractimagenet.py scripts.

References

Affected packages

Git / github.com/deepjavalibrary/djl

Affected ranges

Type
GIT
Repo
https://github.com/deepjavalibrary/djl
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
306e0c77f862dd47bc5f20d78fba41b70731e18e
Fixed
5235be508cec9e8cb6f496a4ed2fa40e4f62c370
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.26.0"
        }
    ]
}

Affected versions

v0.*
v0.1.0
v0.2.0
v0.26.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-2914.json"