CVE-2024-9070

一、漏洞信息
 漏洞编号：[CVE-2024-9070](https://nvd.nist.gov/vuln/detail/CVE-2024-9070)
 漏洞归属组件：[python-horovod](https://gitee.com/src-openeuler/python-horovod)
 漏洞归属的版本：0.23.0
 CVSS V3.x分值：
  BaseScore：9.8 Critical
  Vector：CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 漏洞简述：
  A deserialization vulnerability exists in BentoML s runner server in bentoml/bentoml versions <=1.3.4.post1. By setting specific parameters, an attacker can execute unauthorized arbitrary code on the server, causing severe harm. The vulnerability is triggered when the args-number parameter is greater than 1, leading to automatic deserialization and arbitrary code execution.
 漏洞公开时间：2025-03-20 18:15:46
 漏洞创建时间：2025-09-16 20:02:54
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-9070
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
|  | https://github.com/bentoml/BentoML/blob/a6f5f937be6ec278f3d4f3bbc6f3c8f9564820d7/src/bentoml/_internal/server/runner_app.py#L297 |  |
|  | https://github.com/advisories/GHSA-9g44-gwvm-hc44 |  |
|  | https://github.com/bentoml/BentoML/commit/42f937f90319cbc794274ca69d48df12f4aa1180 |  |
|  | https://huntr.com/bounties/7be6fc22-be18-44ee-a001-ac7158d5e1a5 |  |
|  | https://nvd.nist.gov/vuln/detail/CVE-2024-9070 |  |
|  | https://github.com/bentoml/BentoML/blob/v1.4.5/src/bentoml/_internal/server/runner_app.py#L301 |  |
|  | https://github.com/horovod/horovod/ |  |
|  | https://github.com/bentoml/BentoML |  |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  七彩瞬析开源风险感知平台
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://github.com/bentoml/BentoML/commit/42f937f90319cbc794274ca69d48df12f4aa1180 |  | snyk |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
                                         
 openEuler评分：
  9.8
 Vector：CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 受影响版本排查(受影响/不受影响)：
  1.master(0.23.0):
2.openEuler-20.03-LTS-SP4:
3.openEuler-22.03-LTS-SP3:
4.openEuler-22.03-LTS-SP4:
5.openEuler-24.03-LTS:
6.openEuler-24.03-LTS-Next:
7.openEuler-24.03-LTS-SP1:
8.openEuler-24.03-LTS-SP2:

修复是否涉及abi变化(是/否)：
  1.master(0.23.0):
2.openEuler-20.03-LTS-SP4:
3.openEuler-22.03-LTS-SP3:
4.openEuler-22.03-LTS-SP4:
5.openEuler-24.03-LTS:
6.openEuler-24.03-LTS-Next:
7.openEuler-24.03-LTS-SP1:
8.openEuler-24.03-LTS-SP2:

原因说明：
  1.master(0.23.0):
2.openEuler-20.03-LTS-SP4:
3.openEuler-22.03-LTS-SP3:
4.openEuler-22.03-LTS-SP4:
5.openEuler-24.03-LTS:
6.openEuler-24.03-LTS-Next:
7.openEuler-24.03-LTS-SP1:
8.openEuler-24.03-LTS-SP2:

src-openEuler/python-horovod
关闭

内容风险标识

评论 (3)

src-openEuler/python-horovod关闭 .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2024-9070

评论 (3)

搜索帮助

src-openEuler/python-horovod
关闭