CVE-2024-28425

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions greykite version 1.0.0

Description The issue allows attackers to execute arbitrary code via uploading a crafted file, exploiting an arbitrary file upload vulnerability in the load obj function at /templates/pickle utils.py.

Recommendations For greykite version 1.0.0, consider disabling the load obj function at /templates/pickle utils.py until a patch is available to prevent exploitation of the arbitrary file upload vulnerability. Restrict access to the /templates/pickle utils.py module to minimize the risk of exploitation. Avoid using the vulnerable function to load objects from untrusted sources until the issue is resolved.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2024-28425

PYSEC-2024-276

Affected Products

Greykite

CVE-2024-28425

Weakness Enumeration

Related Identifiers

Affected Products

References · 8