Headline
GHSA-w877-jfw7-46rj: DeepJavaLibrary API absolute path traversal
Summary
DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers 0.27.0.
Impacted versions: 0.1.0 through 0.27.0
Patches
Patched Deep Learning Containers: v1.1-djl-0.27.0-inf-cpu-full v1.4-djl-0.27.0-inf-ds-0.12.6 v1.4-djl-0.27.0-inf-trt-0.8.0 v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1
Patched Library: v0.28.0
DeepJavaLibrary API absolute path traversal
Critical severity GitHub Reviewed Published Jun 17, 2024 in deepjavalibrary/djl • Updated Jun 17, 2024