Products
EXPLIoT CloudFuzz

Technical
Advisory

Through sharp, technical and insightful analysis, the Payatu Team is constantly on the lookout for vulnerabilities and threats. This section exhibits a few of our findings.

...
...

Code Injection in pytorch-lightning prior to 1.6.0

Vulnerability

Code Execution in the context of the program can be achieved in pytorch-lightning prior to v1.6.0

Description

It is possible to execute OS commands or snippets of python code in the context of the program by using the PL_TRAINER_GPUS environment variable. Setting the environment variable with a malicious payload would lead to the execution of the payload thereby enabling an attacker to run their own commands in the same context as the pytorch-lightning program.

CVE-ID

CVE-2022-0845

Vendor

Pytorch Lightning

Product

pytorch-lightning prior to 1.6.0

Disclosure Timeline

Reported On: 3rd March, 2022

Made Public On: 4th March, 2022

Fixed On: 6th March, 2022

Credits

Debjeet Banerjee