CVE-2024-37902 CRITICAL

CVE-2024-37902: Path thraversal in DeepJavaLibrary

Vendor Deepjavalibrary

Product djl

Weakness CWE-22 · Path traversal

Published June 17, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

Description

DeepJavaLibrary(DJL) is an Engine-Agnostic Deep Learning Framework in Java. DJL versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers version 0.27.0. Users are advised to upgrade.

Key dates

Disclosure timeline

June 17, 2024 CVE published

August 2, 2024 Record updated