Created
October 24, 2024 15:36
-
-
Save hexian2001/51c6257351098e5b086a12ad247cc6ca to your computer and use it in GitHub Desktop.
CVE-2024-48206
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## CVE-2024-48206: Deserialization of Untrusted Data in Chainer’s Chainermn | |
### Description | |
A vulnerability in Chainer v7.8.1.post1 allows for the deserialization of untrusted data, leading to the execution of arbitrary code. The issue is located in the `chainermn` module, specifically in the communication utility component responsible for handling data exchange between nodes in a distributed system. This vulnerability can be exploited remotely by sending specially crafted serialized payloads that, when deserialized, can execute arbitrary commands. | |
### Vulnerability Type | |
- CWE-502: Deserialization of Untrusted Data | |
### Affected Product Code Base | |
- Chainer v7.8.1.post1 (https://github.com/chainer/chainer) | |
### Affected Component | |
- `chainermn/communicators/_communication_utility.py` (https://github.com/chainer/chainer/blob/a8e15cbe55a90854a3918b8b5a976abbbff9ec94/chainermn/communicators/_communication_utility.py#L171) | |
### Attack Type | |
- Remote | |
### Impact | |
- Code Execution | |
### Attack Vectors | |
Exploitation occurs through the deserialization of untrusted data within the communication utility of Chainer’s `chainermn` module. Attackers can craft payloads that, when processed by the vulnerable function, result in code execution. | |
### Reference | |
- [Chainer’s Chainermn MPI Deserialization Vulnerability](https://rumbling-slice-eb0.notion.site/chainer-s-chainermn-has-MPI-Deserialization-vulnerability-in-chainer-chainer-c6a004feb53a447e8fb440968d73d6fd?pvs=4) | |
### Discoverer | |
- HRP, Aftersnow, Gxh |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment