CVE-2024-3924

描述

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the `autodocs.yml` workflow file. The vulnerability arises from the insecure handling of the `github.head_ref` user input, which is used to dynamically construct a command for installing a software package. An attacker can exploit this by forking the repository, creating a branch with a malicious payload as the name, and then opening a pull request to the base repository. Successful exploitation could lead to arbitrary code execution within the context of the GitHub Actions runner. This issue affects versions up to and including v2.0.0 and was fixed in version 2.0.0.

如何修補 CVE-2024-3924

要修補 CVE-2024-3924,請將受影響套件升級到下列已修補版本。

• —升級至 2.0.0 或更新版本

CVE-2024-3924 正在被利用嗎?

低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 2.0.0

CVSS 分數

參考連結(4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-3924
• PATCHgithub.com/huggingface/text-generation-inference
• WEBgithub.com/huggingface/text-generation-inference/commit/88702d876383f7200eccf67e28ba00500dc804bb
• WEBhuntr.com/bounties/8af92fc2-0103-4d29-bb28-c3893154c422