CVE-2024-5452 - OpenCVE

A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer whitelist and contains dunder attributes. When processed, this can be exploited to access other modules, classes, and instances, leading to arbitrary attribute write and total RCE on any self-hosted pytorch-lightning application in its default configuration, as the delta endpoint is enabled by default.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lightningai	Pytorch Lightning

Configuration 1 [-]

cpe:2.3:a:lightningai:pytorch_lightning:*:*:*:*:*:python:*:*

No data.

References

Link	Providers
https://huntr.com/bounties/486add92-275e-4a7b-92f9-42d84bc759da

History

Wed, 09 Oct 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Lightningai Lightningai pytorch Lightning
Weaknesses		CWE-913
CPEs		cpe:2.3:a:lightningai:pytorch_lightning::::::python::*
Vendors & Products		Lightningai Lightningai pytorch Lightning
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-06T17:54:57.559Z

Updated: 2024-08-09T20:02:15.860Z

Reserved: 2024-05-28T20:50:35.677Z

Link: CVE-2024-5452

Vulnrichment

Updated: 2024-08-01T21:11:12.744Z

NVD

Status : Analyzed

Published: 2024-06-06T18:15:20.970

Modified: 2024-10-09T14:57:27.450

Link: CVE-2024-5452

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5452", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-05-28T20:50:35.677Z", "datePublished": "2024-06-06T17:54:57.559Z", "dateUpdated": "2024-08-09T20:02:15.860Z"}, "containers": {"cna": {"title": "RCE via Property/Class Pollution in lightning-ai/pytorch-lightning", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-06T17:54:57.559Z"}, "descriptions": [{"lang": "en", "value": "A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer whitelist and contains dunder attributes. When processed, this can be exploited to access other modules, classes, and instances, leading to arbitrary attribute write and total RCE on any self-hosted pytorch-lightning application in its default configuration, as the delta endpoint is enabled by default."}], "affected": [{"vendor": "lightning-ai", "product": "lightning-ai/pytorch-lightning", "versions": [{"version": "unspecified", "status": "affected", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/486add92-275e-4a7b-92f9-42d84bc759da"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes", "cweId": "CWE-915"}]}], "source": {"advisory": "486add92-275e-4a7b-92f9-42d84bc759da", "discovery": "EXTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.744Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/486add92-275e-4a7b-92f9-42d84bc759da", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "lightning_ai", "product": "lightning_ai\\/pytorch_lightning", "cpes": ["cpe:2.3:a:lightning_ai:lightning_ai\\/pytorch_lightning:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-09T19:54:34.271410Z", "id": "CVE-2024-5452", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-09T20:02:15.860Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/486add92-275e-4a7b-92f9-42d84bc759da", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.744Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5452", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-09T19:54:34.271410Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:lightning_ai:lightning_ai\\/pytorch_lightning:*:*:*:*:*:*:*:*"], "vendor": "lightning_ai", "product": "lightning_ai\\/pytorch_lightning", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.2.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-09T20:01:57.999Z"}}], "cna": {"title": "RCE via Property/Class Pollution in lightning-ai/pytorch-lightning", "source": {"advisory": "486add92-275e-4a7b-92f9-42d84bc759da", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "lightning-ai", "product": "lightning-ai/pytorch-lightning", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/486add92-275e-4a7b-92f9-42d84bc759da"}], "descriptions": [{"lang": "en", "value": "A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer whitelist and contains dunder attributes. When processed, this can be exploited to access other modules, classes, and instances, leading to arbitrary attribute write and total RCE on any self-hosted pytorch-lightning application in its default configuration, as the delta endpoint is enabled by default."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-915", "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-06T17:54:57.559Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5452", "state": "PUBLISHED", "dateUpdated": "2024-08-09T20:02:15.860Z", "dateReserved": "2024-05-28T20:50:35.677Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-06-06T17:54:57.559Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lightningai:pytorch_lightning:*:*:*:*:*:python:*:*", "matchCriteriaId": "386EAF15-CC88-4DDF-9D59-154027ADB0B5", "versionEndExcluding": "2.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer whitelist and contains dunder attributes. When processed, this can be exploited to access other modules, classes, and instances, leading to arbitrary attribute write and total RCE on any self-hosted pytorch-lightning application in its default configuration, as the delta endpoint is enabled by default."}, {"lang": "es", "value": "Existe una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE) en la versi\u00f3n 2.2.1 de la librer\u00eda Lightning-ai/pytorch-lightning debido al manejo inadecuado de la entrada del usuario deserializada y a la mala administraci\u00f3n de los atributos dunder por parte de la librer\u00eda \"deepdiff\". La librer\u00eda utiliza objetos `deepdiff.Delta` para modificar el estado de la aplicaci\u00f3n en funci\u00f3n de las acciones del frontend. Sin embargo, es posible eludir las restricciones previstas sobre la modificaci\u00f3n de los atributos de dunder, lo que permite a un atacante construir un delta serializado que pasa la lista blanca de deserializadores y contiene atributos de dunder. Cuando se procesa, esto se puede aprovechar para acceder a otros m\u00f3dulos, clases e instancias, lo que lleva a una escritura de atributos arbitraria y un RCE total en cualquier aplicaci\u00f3n pytorch-lightning autohospedada en su configuraci\u00f3n predeterminada, ya que el endpoint delta est\u00e1 habilitado de forma predeterminada."}], "id": "CVE-2024-5452", "lastModified": "2024-10-09T14:57:27.450", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-06T18:15:20.970", "references": [{"source": "security@huntr.dev", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/486add92-275e-4a7b-92f9-42d84bc759da"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-913"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-915"}], "source": "security@huntr.dev", "type": "Secondary"}]}