CVE-2024-4642
Withdrawn Advisory: Weights and Biases (wandb) has a Server-Side Request Forgery (SSRF) vulnerability
描述
## Withdrawn Advisory This advisory has been withdrawn because the underlying issue existed in Weights and Biases's backend server code, not the software development kit included in the `wandb` PyPI package, as originally reported. This link is maintained to preserve external references. ## Original Description A Server-Side Request Forgery (SSRF) vulnerability exists in the wandb/wandb repository due to improper handling of HTTP 302 redirects. This issue allows team members with access to the 'User settings -> Webhooks' function to exploit this vulnerability to access internal HTTP(s) servers. In severe cases, such as on AWS instances, this could potentially be abused to achieve remote code execution on the victim's machine. The vulnerability is present in the latest version of the repository.
如何修補 CVE-2024-4642
目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。
- —未列出修補版本
CVE-2024-4642 正在被利用嗎?
目前沒有被利用訊號。CVE-2024-4642 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, <= 0.17.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.7 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |