Name of the Vulnerable Software and Affected Versions:

lightning-ai/pytorch-lightning version 2.3.2

Description:

A vulnerability exists in the `LightningApp` when running on a Windows host. The vulnerability occurs at the `/api/v1/upload file/` endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations.

Recommendations:

At the moment, there is no information about a newer version that contains a fix for this vulnerability.