Pytorch Lightning
CVE-2024-8019
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 27 pypi packages depend on pytorch-lightning (21 direct, 7 indirect)
Ecosystem-wide dependent count for version 2.4.0.
DescriptionCVE.org
In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the LightningApp when running on a Windows host. The vulnerability occurs at the /api/v1/upload_file/ endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations.
AnalysisAI
In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the LightningApp when running on a Windows host. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the LightningApp when running on a Windows host. The vulnerability occurs at the /api/v1/upload_file/ endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations. Affected products include: Lightningai Pytorch Lightning. Version information: version 2.3.2.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.
More in Pytorch Lightning
View allA vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path t
A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to im
Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0. Rated critical severity (CVSS 9.8
Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che
pytorch-lightning is vulnerable to Deserialization of Untrusted Data. Rated high severity (CVSS 7.8), this vulnerability
A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sendi
Share
External POC / Exploit Code
Leaving vuln.today