CVE-2024-8396

Description

The DJL package's untar function attempts to prevent path traversal by checking for relative path traversals but fails to account for absolute path traversals. An attacker can exploit this by creating a tarfile with absolute paths, leading to arbitrary file overwrite and potential remote code execution. This can have severe consequences, including unauthorized SSH access, web server exploitation, and availability impacts.

References

https://thehackernews.com/2024/10/researchers-uncover-vulnerabilities-in.html

https://sightline.protectai.com/vulnerabilities/e1045bee-38c1-4ca1-9ef6-d85bccb02dc5/assess

Details

Source: Mitre, NVD