CVE-2024-10190

Name of the Vulnerable Software and Affected Versions Horovod versions up to and including v0.28.1

Description The issue is due to improper handling of base64-encoded data in the ElasticRendezvousHandler, a subclass of KVStoreHandler. Specifically, the put value method in ElasticRendezvousHandler calls codec.loads base64(value), which eventually invokes cloudpickle.loads(decoded). This allows an attacker to send a malicious pickle object via a PUT request, leading to arbitrary code execution on the server.

Recommendations For Horovod versions up to and including v0.28.1, consider disabling the ElasticRendezvousHandler or restricting access to the put value method until a patch is available. Avoid using the codec.loads base64(value) function in the affected ElasticRendezvousHandler class to minimize the risk of exploitation.