CVE-2024-2912 CRITICAL

CVE-2024-2912: Insecure Deserialization Leading to RCE in bentoml/bentoml

Vendor Bentoml
Product bentoml/bentoml
Weakness CWE-1188
Published April 16, 2024
Last update August 1, 2024

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. By exploiting this vulnerability, attackers can execute arbitrary commands on the server hosting the BentoML application. The vulnerability is triggered when a serialized object, crafted to execute OS commands upon deserialization, is sent to any valid BentoML endpoint. This issue poses a significant security risk, enabling attackers to compromise the server and potentially gain unauthorized access or control.

Key dates

02Disclosure timeline

April 16, 2024 CVE published
August 1, 2024 Record updated