Miggo Logo
Miggo Vulnerability Database
CVE-2024-27763

CVE-2024-27763: XPixelGroup BasicSR Command Injection

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-27763
GHSA ID
GHSA-86w8-vhw6-q9qq
EPSS Score
0.3165%
CWE
CWE-77
Published
3/12/2025
Updated
3/13/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
basicsrpip<= 1.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from line 44 in dist_util.py where subprocess.getoutput(f'scontrol show hostname {node_list} | head -n1') directly interpolates the SLURM_NODELIST environment variable into a shell command. As node_list is user-controlled through environment variables without validation/sanitization, attackers can inject arbitrary commands through command substitution characters. The function _init_dist_slurm handles SLURM cluster initialization and is the only location where this vulnerable command construction occurs, as evidenced by the referenced code snippets and advisory details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

XPix*l*roup **si*SR t*rou** *.*.* mi**t lo**lly *llow *o** *x**ution in *ontriv** situ*tions w**r* "s*ontrol s*ow *ostn*m*" is *x**ut** in t** pr*s*n** o* * *r**t** SLURM_NO**LIST *nvironm*nt v*ri**l*.

Reasoning

T** vuln*r**ility st*ms *rom lin* ** in *ist_util.py w**r* su*pro**ss.**toutput(*'s*ontrol s*ow *ostn*m* {no**_list} | **** -n*') *ir**tly int*rpol*t*s t** SLURM_NO**LIST *nvironm*nt v*ri**l* into * s**ll *omm*n*. *s no**_list is us*r-*ontroll** t*ro