GHSA-47wv-vhj2-g66m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-47wv-vhj2-g66m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-47wv-vhj2-g66m/GHSA-47wv-vhj2-g66m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-47wv-vhj2-g66m
- Aliases
- Published
- 2022-03-29T19:18:32Z
- Modified
- 2024-09-20T21:43:02.531163Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVSS Calculator
- 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Use of insecure temporary file in Horovod
- Details
-
Impact
The insecure
tempfile.mktemp()is used when Horovod is run in an LSF job withjsrun. In that situation, a jsrun rank file is created withmktemp, which could be hijacked by another process to read or manipulate the content.This issue does not impact the use of MPI, Gloo, Spark or Ray.
Patches
The problem has been fixed in b96ecae4.
Workarounds
The rank file is not created when
binding_argsare provided in theSettingsinstance.References
Please see https://github.com/horovod/horovod/pull/3358 for details.
For more information
If you have any questions or comments about this advisory: * Open an issue in https://github.com/horovod/horovod
- Database specific
{ "nvd_published_at": "2022-03-24T09:15:00Z", "cwe_ids": [ "CWE-377", "CWE-668" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-03-29T19:18:32Z" }- References
-
- https://github.com/horovod/horovod/security/advisories/GHSA-47wv-vhj2-g66m
- https://nvd.nist.gov/vuln/detail/CVE-2022-0315
- https://github.com/horovod/horovod/pull/3358
- https://github.com/horovod/horovod/commit/b96ecae4dc69fc0a83c7c2d3f1dde600c20a1b41
- https://github.com/advisories/GHSA-47wv-vhj2-g66m
- https://github.com/horovod/horovod
- https://github.com/pypa/advisory-database/tree/main/vulns/horovod/PYSEC-2022-175.yaml
- https://huntr.dev/bounties/7e50397b-dd63-4bb5-b56d-704094a7da45
Affected packages
PyPI / horovod
Package
- Name
- horovod
- View open source insights on deps.dev
- Purl
- pkg:pypi/horovod
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.24.0
Affected versions
0.*
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.10
0.9.11
0.9.12
0.10.0
0.10.1
0.10.2
0.11.0
0.11.1
0.11.2
0.11.3
0.12.0
0.12.1
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.13.5
0.13.6
0.13.7
0.13.8
0.13.10
0.13.11
0.14.0
0.14.1
0.15.0
0.15.1
0.15.2
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.18.0
0.18.1
0.18.2
0.19.0
0.19.1
0.19.2
0.19.3
0.19.4
0.19.5
0.20.0
0.20.1
0.20.2
0.20.3
0.21.0
0.21.1
0.21.2
0.21.3
0.22.0
0.22.1
0.23.0