CVE-2024-0917

Vulnerability

Description

CVE-2024-0917 describes a remote code execution (RCE) vulnerability in PaddlePaddle/Paddle version 2.6.0. The issue resides in the fleet.utils.fs.py module, specifically around line 723, where improper handling of user-supplied input allows an attacker to inject arbitrary commands or code into the system [1][2][3].

Attack

Vector & Prerequisites

The vulnerability is triggered by sending a specially crafted request to the affected PaddlePaddle component. No authentication is required to exploit this flaw, and network access to the vulnerable service is sufficient for an attacker to execute arbitrary code on the host running PaddlePaddle [2][4]. The attack complexity is low, making it easily exploitable.

Impact

Successful exploitation grants an attacker the ability to run arbitrary code with the privileges of the PaddlePaddle process. This can lead to full compromise of the affected system, including data theft, installation of malware, or further movement within the network. The vulnerability has a CVSS base score of 9.8 (Critical) [2].

Mitigation

Status

As of the publication date (March 2024), a patch or official update addressing CVE-2024-0917 should be applied by upgrading to a version newer than 2.6.0. Users are advised to review the PaddlePaddle release notes and upgrade to the latest stable release to remediate the issue [1]. The vulnerability was reported through the huntr bug bounty platform [4].