Home > Vulnerability Database > CVE-2024-5980

Mend.io Vulnerability Database

CVE-2024-5980

Good to know:

Date: June 27, 2024

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the plugin_server, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path traversal vulnerabilities. This can result in arbitrary files being written to any directory in the victim's local file system, potentially leading to remote code execution.

Language: Python

Severity Score

9.1

Related Resources (6)

Url: https://github.com/Lightning-AI/pytorch-lightning/releases/tag/2.3.3

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-5980

Url: https://github.com/lightning-ai/pytorch-lightning

Url: https://github.com/Lightning-AI/pytorch-lightning/pull/20039

Url: https://huntr.com/bounties/55a6ac6f-89c7-42ea-86f3-c6e93a2679f3

Url: https://www.mend.io/vulnerability-database/CVE-2024-5980

Severity Score

9.1

Weakness Type (CWE)

Unrestricted Upload of File with Dangerous Type

CWE-434

Top Fix

Upgrade Version

Upgrade to version lightning - 2.3.3

Learn More

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-5980

Good to know:

Date: June 27, 2024

Language: Python

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?