Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jaGo3LXczZjYtY3Zmas4AA4mF
Code Injection in paddlepaddle
The vulnerability arises from the way the url parameter is incorporated into the command string without proper validation or sanitization. If the url is constructed from untrusted sources, an attacker could potentially inject malicious commands.
Permalink: https://github.com/advisories/GHSA-chj7-w3f6-cvfjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jaGo3LXczZjYtY3Zmas4AA4mF
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 9.3
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-chj7-w3f6-cvfj, CVE-2024-0521
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-0521
- https://huntr.com/bounties/a569c64b-1e2b-4bed-a19f-47fd5a3da453
- https://github.com/advisories/GHSA-chj7-w3f6-cvfj
Affected Packages
pypi:paddlepaddle
Dependent packages: 41Dependent repositories: 2,208
Downloads: 267,914 last month
Affected Version Ranges: < 2.6.0
Fixed in: 2.6.0
All affected versions: 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2
All unaffected versions: 2.6.0, 2.6.1