Fluid Attacks Database

Description

Code Injection in PyTorch Lightning PyTorch Lightning version 1.5.10 and prior is vulnerable to code injection. An attacker could execute commands on the target OS running the operating system by setting the PL_TRAINER_GPUS when using the Trainer module. A patch is included in the 1.6.0 release.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pytorch-lightning	>=0 <1.6.0	1.6.0

Aliases

1. CVE-2022-08452. NVD-2022-08453. OSV-2022-08454. GHSA-r5qj-cvf9-p85h5. GCVE-2022-0845

References

1. https://github.com/PyTorchLightning/pytorch-lightning/pull/122122. https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae3. https://github.com/pypa/advisory-database/tree/main/vulns/pytorch-lightning/PYSEC-2022-181.yaml4. https://github.com/pytorchlightning/pytorch-lightning5. https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.