PYSEC-2024-154 – ultralytics

Package

Manager: pip
Name: ultralytics
Vulnerable Version: =8.3.41 || =8.3.42 || =8.3.45 || =8.3.46 || =8.3.43 || =8.3.44 || >=8.3.41 <8.3.47

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

A number of releases of ultralytics contained malicious crypto miner software. Ultralytics has identified a supply chain attack affecting affecting multiple versions of the ultralytics package. The compromised versions contained unauthorized code that downloaded and executed cryptocurrency mining software when instantiating YOLO models. This code was injected into the PyPI release artifacts and was not present in the public GitHub repository.

Metadata

Created: 2024-12-10T19:43:04.050935Z
Modified: 2024-12-10T19:20:27.097505Z
Source: https://osv-vulnerabilities
CWE IDs: N/A
Alternative ID: N/A
Finding: F410
Auto approve: 1