CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-2914 – TarSlip Vulnerability in deepjavalibrary/djl
https://notcve.org/view.php?id=CVE-2024-2914
Exploitation of this vulnerability could lead to remote code execution, privilege escalation, data theft or manipulation, and denial of service. • https://github.com/deepjavalibrary/djl/commit/5235be508cec9e8cb6f496a4ed2fa40e4f62c370 https://huntr.com/bounties/b064bd2f-bf6e-4fc0-898e-7d02a9b97e24 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-5452 – RCE via Property/Class Pollution in lightning-ai/pytorch-lightning
https://notcve.org/view.php?id=CVE-2024-5452
A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. ... When processed, this can be exploited to access other modules, classes, and instances, leading to arbitrary attribute write and total RCE on any self-hosted pytorch-lightning application in its default configuration, as the delta endpoint is enabled by default. Existe una vulnerabilidad de ejecución remota de código (RCE) en la versión 2.2.1 de la librería Lightning-ai/pytorch-lightning debido al manejo inadecuado de la entrada del usuario deserializada y a la mala administración de los atributos dunder por parte de la librería "deepdiff". ... Cuando se procesa, esto se puede aprovechar para acceder a otros módulos, clases e instancias, lo que lleva a una escritura de atributos arbitraria y un RCE total en cualquier aplicación pytorch-lightning autohospedada en su configuración predeterminada, ya que el endpoint delta está habilitado de forma predeterminada. • https://huntr.com/bounties/486add92-275e-4a7b-92f9-42d84bc759da • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes •
CVSS: 7.2EPSS: 0%CPEs: -EXPL: 0CVE-2024-4889 – Code Injection in berriai/litellm
https://notcve.org/view.php?id=CVE-2024-4889
A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated input in the eval function within the secret management system. ... Specifically, by setting the `UI_LOGO_PATH` variable to a remote server address in the `get_image` function, an attacker can write a malicious Google KMS configuration file to the `cached_logo.jpg` file. This file can then be used to execute arbitrary code by assigning malicious code to the `SAVE_CONFIG_TO_DB` environment variable, leading to full system control. • https://huntr.com/bounties/be3fda72-a65b-4993-9a0e-7e0f05db51f8 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-1879 – CSRF to RCE in significant-gravitas/autogpt
https://notcve.org/view.php?id=CVE-2024-1879
A Cross-Site Request Forgery (CSRF) vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. • https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669 https://huntr.com/bounties/125c2d0c-0481-4e5c-ae90-fec263acdf32 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.6EPSS: 0%CPEs: -EXPL: 0CVE-2024-3104 – Remote Code Execution in mintplex-labs/anything-llm
https://notcve.org/view.php?id=CVE-2024-3104
A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables via the `POST /api/system/update-env` endpoint, which allows for the execution of arbitrary code on the host running anything-llm. ... Successful exploitation could lead to code execution on the host, enabling attackers to read and modify data accessible to the user running the service, potentially leading to a denial of service. • https://github.com/mintplex-labs/anything-llm/commit/bfedfebfab032e6f4d5a369c8a2f947c5d0c5286 https://huntr.com/bounties/4f2fcb45-5828-4bec-985a-9d3a0ee00462 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •