Miggo Logo
Miggo Vulnerability Database
CVE-2023-52311

CVE-2023-52311: PaddlePaddle command injection in _wget_download

9.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-52311
GHSA ID
GHSA-rf7p-79xq-8xwm
EPSS Score
0.48894%
CWE
CWE-78
Published
1/3/2024
Updated
11/22/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
PaddlePaddlepip< 2.6.02.6.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly references _wget_download as the entry point. The commit diff shows the vulnerable version directly interpolates the 'url' parameter into a shell command without proper validation (CWE-78). The patch adds URL scheme validation using urlparse and error handling, confirming the original implementation's insecurity. The function's use of subprocess.Popen with shell=True and untrusted input creates an unambiguous command injection vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P***l*P***l* ***or* *.*.* **s * *omm*n* inj**tion in _w**t_*ownlo**. T*is r*sult** in t** **ility to *x**ut* *r*itr*ry *omm*n*s on t** op*r*tin* syst*m.

Reasoning

T** vuln*r**ility *xpli*itly r***r*n**s _w**t_*ownlo** *s t** *ntry point. T** *ommit *i** s*ows t** vuln*r**l* v*rsion *ir**tly int*rpol*t*s t** 'url' p*r*m*t*r into * s**ll *omm*n* wit*out prop*r v*li**tion (*W*-**). T** p*t** ***s URL s***m* v*li*