CVE-2024-0521 – paddlepaddle

Package

Manager: pip
Name: paddlepaddle
Vulnerable Version: >=0 <2.6.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00082 pctl0.24941

Details

Code Injection in paddlepaddle The vulnerability arises from the way the url parameter is incorporated into the command string without proper validation or sanitization. If the url is constructed from untrusted sources, an attacker could potentially inject malicious commands.

Metadata

Created: 2024-01-20T21:30:25Z
Modified: 2024-01-29T16:25:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-chj7-w3f6-cvfj/GHSA-chj7-w3f6-cvfj.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-chj7-w3f6-cvfj
Finding: F422
Auto approve: 1