Vulnerability
Code Execution in the context of the program can be achieved in pytorch-lightning prior to v1.6.0
Description
It is possible to execute OS commands or snippets of python code in the context of the program by using the PL_TRAINER_GPUS environment variable. Setting the environment variable with a malicious payload would lead to the execution of the payload thereby enabling an attacker to run their own commands in the same context as the pytorch-lightning program.
CVE-ID
CVE-2022-0845
Vendor
Pytorch Lightning
Product
pytorch-lightning prior to 1.6.0
Disclosure Timeline
Reported On: 3rd March, 2022
Made Public On: 4th March, 2022
Fixed On: 6th March, 2022
Credits
Debjeet Banerjee