CVE-2024-8019 — CRITICAL (9.1)

Vulnerability Description

In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the `LightningApp` when running on a Windows host. The vulnerability occurs at the `/api/v1/upload_file/` endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Lightningai	Pytorch Lightning	2.3.2

Related Weaknesses (CWE)

CWE-434

References

https://github.com/lightning-ai/pytorch-lightning/commit/330af381de88cff17515418Patch
https://huntr.com/bounties/2754298b-5af5-48ef-8b38-999093ddf2bdExploitThird Party Advisory

FAQ

What is CVE-2024-8019?

CVE-2024-8019 is a vulnerability with a CVSS score of 9.1 (CRITICAL). In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the `LightningApp` when running on a Windows host. The vulnerability occurs at the `/api/v1/upload_file/` endpoint, allowing ...

How severe is CVE-2024-8019?

CVE-2024-8019 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2024-8019?

Check the references section above for vendor advisories and patch information. Affected products include: Lightningai Pytorch Lightning.