CVE-2024-2912

EUVD-2024-1219

16.04.2024, 00:15

An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. By exploiting this vulnerability, attackers can execute arbitrary commands on the server hosting the BentoML application. The vulnerability is triggered when a serialized object, crafted to execute OS commands upon deserialization, is sent to any valid BentoML endpoint. This issue poses a significant security risk, enabling attackers to compromise the server and potentially gain unauthorized access or control.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 91%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
bentoml	bentoml	1.2.0 ≤ 𝑥 ≤ 1.2.4	ADP

Common Weakness Enumeration

CWE-1188 - Insecure Default Initialization of Resource
The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

References

https://github.com/bentoml/bentoml/commit/fd70379733c57c6368cc022ac1f841b7b426db7b

https://huntr.com/bounties/349a1cce-6bb5-4345-82a5-bf7041b65a68

https://github.com/bentoml/bentoml/commit/fd70379733c57c6368cc022ac1f841b7b426db7b

https://huntr.com/bounties/349a1cce-6bb5-4345-82a5-bf7041b65a68