Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS13ODc3LWpmdzctNDZyas4AA9Ik

DeepJavaLibrary API absolute path traversal

Summary

DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers 0.27.0.

Impacted versions: 0.1.0 through 0.27.0

Patches

Patched Deep Learning Containers:
v1.1-djl-0.27.0-inf-cpu-full
v1.4-djl-0.27.0-inf-ds-0.12.6
v1.4-djl-0.27.0-inf-trt-0.8.0
v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1

Patched Library:
v0.28.0

Permalink: https://github.com/advisories/GHSA-w877-jfw7-46rj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13ODc3LWpmdzctNDZyas4AA9Ik
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 3 months ago
Updated: 3 months ago

CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Identifiers: GHSA-w877-jfw7-46rj, CVE-2024-37902
References:

• https://github.com/deepjavalibrary/djl/security/advisories/GHSA-w877-jfw7-46rj
• https://github.com/aws/deep-learning-containers/releases/tag/v1.1-djl-0.27.0-inf-cpu-full
• https://github.com/aws/deep-learning-containers/releases/tag/v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1
• https://github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-ds-0.12.6
• https://github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-trt-0.8.0
• https://github.com/deepjavalibrary/djl/releases/tag/v0.28.0
• https://nvd.nist.gov/vuln/detail/CVE-2024-37902
• https://github.com/advisories/GHSA-w877-jfw7-46rj

Repository: https://github.com/deepjavalibrary/djl
Blast Radius: 20.7

Affected Packages