GHSA-w877-jfw7-46rj

Source

https://github.com/advisories/GHSA-w877-jfw7-46rj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-w877-jfw7-46rj/GHSA-w877-jfw7-46rj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w877-jfw7-46rj

Aliases

CGA-mcv5-fjr6-wxgg
CVE-2024-37902

Related

CGA-c6gj-pfw2-897g

Published

2024-06-17T21:20:44Z

Modified

2024-06-25T02:35:10.436021Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

DeepJavaLibrary API absolute path traversal

Details

Summary

DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers 0.27.0.

Impacted versions: 0.1.0 through 0.27.0

Patches

Patched Deep Learning Containers: v1.1-djl-0.27.0-inf-cpu-full v1.4-djl-0.27.0-inf-ds-0.12.6 v1.4-djl-0.27.0-inf-trt-0.8.0 v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1

Patched Library: v0.28.0

Database specific

{
    "nvd_published_at": "2024-06-17T20:15:14Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-17T21:20:44Z"
}

References

Affected packages

Maven / ai.djl:api

Package

Name: ai.djl:api; View open source insights on deps.dev
Purl: pkg:maven/ai.djl/api

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.1.0

Fixed

0.28.0

Affected versions

0.*

0.2.0

0.2.1

0.3.0

0.4.0

0.4.1

0.5.0

0.6.0

0.7.0

0.8.0

0.9.0

0.10.0

0.11.0

0.12.0

0.13.0

0.14.0

0.15.0

0.16.0

0.17.0

0.18.0

0.19.0

0.20.0

0.21.0

0.22.0

0.22.1

0.23.0

0.24.0

0.25.0

0.26.0

0.27.0