CVE-2024-2912 – Insecure Deserialization Leading to RCE in bentoml/bentoml

https://notcve.org/view.php?id=CVE-2024-2912

An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. By exploiting this vulnerability, attackers can execute arbitrary commands on the server hosting the BentoML application. The vulnerability is triggered when a serialized object, crafted to execute OS commands upon deserialization, is sent to any valid BentoML endpoint. This issue poses a significant security risk, enabling attackers to compromise the server and potentially gain unauthorized access or control. Existe una vulnerabilidad de deserialización insegura en el framework BentoML, que permite la ejecución remota de código (RCE) mediante el envío de una solicitud POST especialmente manipulada. • https://github.com/bentoml/bentoml/commit/fd70379733c57c6368cc022ac1f841b7b426db7b https://huntr.com/bounties/349a1cce-6bb5-4345-82a5-bf7041b65a68 • CWE-1188: Initialization of a Resource with an Insecure Default •