GHSA-hvj5-mvw9-93j3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hvj5-mvw9-93j3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-hvj5-mvw9-93j3/GHSA-hvj5-mvw9-93j3.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-hvj5-mvw9-93j3
- Aliases
- Published
- 2024-04-16T00:30:33Z
- Modified
- 2024-04-16T18:43:50.460366Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Insecure deserialization in BentoML
- Details
-
An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. By exploiting this vulnerability, attackers can execute arbitrary commands on the server hosting the BentoML application. The vulnerability is triggered when a serialized object, crafted to execute OS commands upon deserialization, is sent to any valid BentoML endpoint. This issue poses a significant security risk, enabling attackers to compromise the server and potentially gain unauthorized access or control.
- Database specific
{ "cwe_ids": [ "CWE-1188" ], "github_reviewed": true, "severity": "CRITICAL", "nvd_published_at": "2024-04-16T00:15:11Z", "github_reviewed_at": "2024-04-16T18:24:33Z" }- References
Affected packages
PyPI / bentoml
Package
- Name
- bentoml
- View open source insights on deps.dev
- Purl
- pkg:pypi/bentoml
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.2.5
Affected versions
0.*
0.0.1
0.0.2
0.0.3
0.0.5
0.0.6a0
0.0.7.dev0
0.0.7
0.0.8
0.0.8.post1
0.0.9
0.1.1
0.1.2
0.2.0
0.2.1
0.2.2
0.3.0
0.3.1
0.3.3
0.3.4
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.7
0.4.8
0.4.9
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.6.0
0.6.1
0.6.2
0.6.3
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.9.0rc0
0.9.0
0.9.1
0.9.2
0.10.0
0.10.1
0.11.dev0
0.11.0
0.12.0
0.12.1
0.13.0
0.13.1
0.13.2
1.*
1.0.0.dev0
1.0.0.dev1
1.0.0a1
1.0.0a2
1.0.0a3
1.0.0a4
1.0.0a5
1.0.0a6
1.0.0a7
1.0.0rc0
1.0.0rc1
1.0.0rc2
1.0.0rc3
1.0.0
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
1.0.20
1.0.21
1.0.22
1.0.23
1.0.24
1.0.25
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.1.10
1.1.11
1.2.0a0
1.2.0a1
1.2.0a2
1.2.0a3
1.2.0a4
1.2.0a5
1.2.0a6
1.2.0a7
1.2.0rc1
1.2.0
1.2.1a1
1.2.1
1.2.2
1.2.3
1.2.4