CVE-2024-2914

HIGH Year: 2024
CVSS v3 Score
7.8
High
Weakness Type
CWE-29
View all →

Vulnerability Description

A TarSlip vulnerability exists in the deepjavalibrary/djl, affecting version 0.26.0 and fixed in version 0.27.0. This vulnerability allows an attacker to manipulate file paths within tar archives to overwrite arbitrary files on the target system. Exploitation of this vulnerability could lead to remote code execution, privilege escalation, data theft or manipulation, and denial of service. The vulnerability is due to improper validation of file paths during the extraction of tar files, as demonstrated in multiple occurrences within the library's codebase, including but not limited to the files_util.py and extract_imagenet.py scripts.

Related Vulnerabilities

CVE-2023-0104

HIGH
CVSS:7.8(High)

The listed versions for Weintek EasyBuilder Pro are vulnerable to a ZipSlip attack caused by decompiling a malicious project file. This may allow an attacker to gain control of the user’s computer or ...

CWE-292023

CVE-2023-6021

HIGH
CVSS:7.5(High)

LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.any...

CWE-292023

CVE-2023-6130

HIGH
CVSS:7.5(High)

Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.

CWE-292023

CVE-2023-6831

HIGH
CVSS:8.1(High)

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

CWE-292023

CVE-2023-6909

HIGH
CVSS:7.5(High)

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

CWE-292023

CVE-2024-1561

HIGH
CVSS:7.5(High)

An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifica...

CWE-292024