How severe is CVE-2024-5452?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2024-5452?

This is classified as CWE-915, which is a common weakness in software security.

CVE-2024-5452

CRITICAL Year: 2024

CVSS v3 Score

9.8

Critical

Weakness Type

CWE-915

View all →

Vulnerability Description

A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer whitelist and contains dunder attributes. When processed, this can be exploited to access other modules, classes, and instances, leading to arbitrary attribute write and total RCE on any self-hosted pytorch-lightning application in its default configuration, as the delta endpoint is enabled by default.

CVE-2021-21304

CRITICAL

CVSS:9.8(Critical)

Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "...

CWE-9152021

CVE-2022-24802

CRITICAL

CVSS:9.8(Critical)

deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecord...

CWE-9152022

CVE-2022-31106

CRITICAL

CVSS:9.8(Critical)

Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An atta...

CWE-9152022

CVE-2022-43441

CRITICAL

CVSS:9.8(Critical)

A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attac...

CWE-9152022

CVE-2024-55636

CRITICAL

CVSS:9.8(Critical)

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. ...

CWE-9152024