VDB
CVE-2024-37902
CVE-2024-37902
PUBLISHED
CVSS 10 CRITICAL
DeepJavaLibrary(DJL) is an Engine-Agnostic Deep Learning Framework in Java. DJL versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers version 0.27.0. Users are advised to upgrade.
EPSS 0.29% · 52.5th percentile
Risk Scores
CVSS v3.1
10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score
0.29%
52.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| deepjavalibrary | djl | >= 0.1.0, < 0.28.0 |
| Maven | ai.djl:api | 0.1.0 |
| deepjavalibrary | djl | 0.1.0 |
Timeline
- Jan 21, 1970 Security Advisory
- Jun 17, 2024 CVE Published
- Jun 18, 2024 EPSS Score
- Jul 11, 2024 EPSS Score
- Aug 2, 2024 EPSS Score
- Aug 25, 2024 EPSS Score
- Sep 17, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Oct 10, 2024 EPSS Score
- Nov 1, 2024 EPSS Score
- Nov 24, 2024 EPSS Score
- Dec 18, 2024 EPSS Score
References
- https://github.com/deepjavalibrary/djl/security/advisories/GHSA-w877-jfw7-46rj url
- https://github.com/deepjavalibrary/djl/releases/tag/v0.28.0 url
- https://nvd.nist.gov/vuln/detail/CVE-2024-37902 advisory
- https://github.com/aws/deep-learning-containers/releases/tag/v1.1-djl-0.27.0-inf-cpu-full url
- https://github.com/aws/deep-learning-containers/releases/tag/v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1 url
- https://github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-ds-0.12.6 url
- https://github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-trt-0.8.0 url
- https://github.com/deepjavalibrary/djl package