CVE-2024-37902

Name of the Vulnerable Software and Affected Versions: DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0

Description: The issue is related to the incorrect restriction of the directory path name with limited access. This can allow a remote attacker to overwrite system files. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations: For DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0, users are advised to upgrade to version 0.28.0 or apply the patch in DJL Large Model Inference containers version 0.27.0. As a temporary workaround, consider restricting the use of absolute path archived artifacts to prevent them from inserting archived files directly into the system.