AI Threat Alert
A deserialization vulnerability exists in BentoML's runner server in bentoml/bentoml versions <=1.3.4.post1. By setting specific parameters, an attacker can execute unauthorized arbitrary code on the...
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| bentoml | pip | <= 1.4.5 | No patch |
Do you use bentoml? You're affected.
Severity & Risk
Recommended Action
No patch available
Monitor for updates. Consider compensating controls or temporary mitigations.
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
A deserialization vulnerability exists in BentoML's runner server in bentoml/bentoml versions <=1.3.4.post1. By setting specific parameters, an attacker can execute unauthorized arbitrary code on the server, causing severe harm. The vulnerability is triggered when the args-number parameter is greater than 1, leading to automatic deserialization and arbitrary code execution.
Weaknesses (CWE)
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
- github.com/advisories/GHSA-9g44-gwvm-hc44
- github.com/bentoml/BentoML/blob/a6f5f937be6ec278f3d4f3bbc6f3c8f9564820d7/src/bentoml/_internal/server/runner_app.py
- github.com/bentoml/BentoML/blob/v1.4.5/src/bentoml/_internal/server/runner_app.py
- huntr.com/bounties/7be6fc22-be18-44ee-a001-ac7158d5e1a5
- nvd.nist.gov/vuln/detail/CVE-2024-9070
- huntr.com/bounties/7be6fc22-be18-44ee-a001-ac7158d5e1a5