CVE-2024-3924

Code Injection in huggingface/text-generation-inference

Severity Score

4.4

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the `autodocs.yml` workflow file. The vulnerability arises from the insecure handling of the `github.head_ref` user input, which is used to dynamically construct a command for installing a software package. An attacker can exploit this by forking the repository, creating a branch with a malicious payload as the name, and then opening a pull request to the base repository. Successful exploitation could lead to arbitrary code execution within the context of the GitHub Actions runner. This issue affects versions up to and including v2.0.0 and was fixed in version 2.0.0.

Existe una vulnerabilidad de inyección de código en el repositorio huggingface/text-generation-inference, específicamente dentro del archivo de flujo de trabajo `autodocs.yml`. La vulnerabilidad surge del manejo inseguro de la entrada del usuario `github.head_ref`, que se utiliza para construir dinámicamente un comando para instalar un paquete de software. Un atacante puede aprovechar esto bifurcando el repositorio, creando una rama con una carga útil maliciosa como nombre y luego abriendo una solicitud de extracción al repositorio base. La explotación exitosa podría conducir a la ejecución de código arbitrario dentro del contexto del ejecutor de GitHub Actions. Este problema afecta a las versiones hasta la v2.0.0 incluida y se solucionó en la versión 2.0.0.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-17 CVE Reserved
2024-05-30 CVE Published
2024-05-31 EPSS Updated
2024-06-26 First Exploit
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (4)

URL	Tag	Source
https://github.com/huggingface/text-generation-inference/commit/88702d876383f7200eccf67e28ba00500dc804bb
https://huntr.com/bounties/8af92fc2-0103-4d29-bb28-c3893154c422

URL	Date	SRC
https://github.com/zunak/CVE-2024-39249	2024-06-26
https://github.com/jasonthename/CVE-2024-39248	2024-06-26

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Huggingface Search vendor "Huggingface"		Text Generation Inference Search vendor "Huggingface" for product "Text Generation Inference"				*		-		Affected