Code Execution in the context of the program can be achieved in pytorch-lightning prior to v1.6.0
It is possible to execute OS commands or snippets of python code in the context of the program by using the PL_TRAINER_GPUS environment variable. Setting the environment variable with a malicious payload would lead to the execution of the payload thereby enabling an attacker to run their own commands in the same context as the pytorch-lightning program.
pytorch-lightning prior to 1.6.0
Reported On: 3rd March, 2022
Made Public On: 4th March, 2022
Fixed On: 6th March, 2022