9.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-5452

GHSA ID

GHSA-cgwc-qvrx-rf7f

EPSS Score

0.97046%

CWE

CWE-913

Published

6/6/2024

Updated

10/16/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-5452

CVE-2024-5452: Remote code execution in pytorch lightning

A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the deepdiff library. The library uses deepdiff.Delta objects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer whitelist and contains dunder attributes. When processed, this can be exploited to access other modules, classes, and instances, leading to arbitrary attribute write and total RCE on any self-hosted pytorch-lightning application in its default configuration, as the delta endpoint is enabled by default.

(GitHub Advisory)

9.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-5452

GHSA ID

GHSA-cgwc-qvrx-rf7f

EPSS Score

0.97046%

CWE

CWE-913

Published

6/6/2024

Updated

10/16/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
lightning	pip	< 2.3.3	2.3.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is related to the use of deepdiff.Delta objects in the lightning app code. The patch removes the lightning app code, indicating that it was vulnerable. The exact function name is not visible in the patch, but it is related to the deepdiff library.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r*mot* *o** *x**ution (R**) vuln*r**ility *xists in t** li**tnin*-*i/pytor**-li**tnin* li*r*ry v*rsion *.*.* *u* to improp*r **n*lin* o* **s*ri*liz** us*r input *n* mism*n***m*nt o* *un**r *ttri*ut*s *y t** `***p*i**` li*r*ry. T** li*r*ry us*s `***

Reasoning

T** vuln*r**ility is r*l*t** to t** us* o* `***p*i**.**lt*` o*j**ts in t** li**tnin* *pp *o**. T** p*t** r*mov*s t** li**tnin* *pp *o**, in*i**tin* t**t it w*s vuln*r**l*. T** *x**t *un*tion n*m* is not visi*l* in t** p*t**, *ut it is r*l*t** to t**

9.8

Basic Information

Concerned about an active attack path?

CVE-2024-5452: Remote code execution in pytorch lightning

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI