CVE-2024-5980

Name of the Vulnerable Software and Affected Versions: pytorch-lightning version 2.2.4

Description: A path traversal issue exists in the "/v1/runs" API endpoint, allowing attackers to exploit this vulnerability when extracting tar.gz files. This can be used to deploy malicious tar.gz plugins that embed arbitrary files, potentially leading to arbitrary files being written to any directory in the victim's local file system and remote code execution.

Recommendations: For pytorch-lightning version 2.2.4, as a temporary workaround, consider disabling the plugin server to minimize the risk of exploitation. Avoid using the /v1/runs API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.