CVE-2024-2914

Name of the Vulnerable Software and Affected Versions djl version 0.26.0

Description A TarSlip vulnerability exists in the djl library, allowing an attacker to manipulate file paths within tar archives to overwrite arbitrary files on the target system. This could lead to remote code execution, privilege escalation, data theft or manipulation, and denial of service. The issue is due to improper validation of file paths during tar file extraction, as seen in multiple parts of the library's codebase, including the files util.py and extract imagenet.py scripts.

Recommendations For version 0.26.0, update to version 0.27.0 to resolve the issue. As a temporary workaround, consider restricting the extraction of tar files to minimize the risk of exploitation. Avoid using the vulnerable library until the issue is resolved.