CVE-2024-37902: DeepJavaLibrary API absolute path traversal
DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers 0.27.0.
Impacted versions: 0.1.0 through 0.27.0
References
- github.com/advisories/GHSA-w877-jfw7-46rj
- github.com/aws/deep-learning-containers/releases/tag/v1.1-djl-0.27.0-inf-cpu-full
- github.com/aws/deep-learning-containers/releases/tag/v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1
- github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-ds-0.12.6
- github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-trt-0.8.0
- github.com/deepjavalibrary/djl
- github.com/deepjavalibrary/djl/releases/tag/v0.28.0
- github.com/deepjavalibrary/djl/security/advisories/GHSA-w877-jfw7-46rj
- nvd.nist.gov/vuln/detail/CVE-2024-37902
Detect and mitigate CVE-2024-37902 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →