CVE-2022-0845 – pytorch-lightning

Package

Manager: pip
Name: pytorch-lightning
Vulnerable Version: >=0 <1.6.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00134 pctl0.33777

Details

Code Injection in PyTorch Lightning PyTorch Lightning version 1.5.10 and prior is vulnerable to code injection. An attacker could execute commands on the target OS running the operating system by setting the `PL_TRAINER_GPUS` when using the `Trainer` module. A [patch](https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae) is included in the `1.6.0` release.

Metadata

Created: 2022-03-06T00:00:16Z
Modified: 2024-10-25T20:49:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-r5qj-cvf9-p85h/GHSA-r5qj-cvf9-p85h.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-r5qj-cvf9-p85h
Finding: F422
Auto approve: 1