TarSlip Path Traversal in DJL 0.26.0 (fixed 0.27.0)
CVE-2024-2914 Published on June 6, 2024
TarSlip Vulnerability in deepjavalibrary/djl
A TarSlip vulnerability exists in the deepjavalibrary/djl, affecting version 0.26.0 and fixed in version 0.27.0. This vulnerability allows an attacker to manipulate file paths within tar archives to overwrite arbitrary files on the target system. Exploitation of this vulnerability could lead to remote code execution, privilege escalation, data theft or manipulation, and denial of service. The vulnerability is due to improper validation of file paths during the extraction of tar files, as demonstrated in multiple occurrences within the library's codebase, including but not limited to the files_util.py and extract_imagenet.py scripts.
Weakness Type
Path Traversal: '\..\filename'
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.
Products Associated with CVE-2024-2914
Want to know whenever a new CVE is published for Djl Deep Java Library? stack.watch will email you.
Affected Versions
deepjavalibrary/djl:- Version unspecified and below 0.27.0 is affected.
- Version 026.0 and below 0.27.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.