tooryx
commented
3 weeks ago Hi @frkngksl,
Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development.
Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have.
Thanks!
Hi,
I want to implement a detection plugin for CVE-2024-22476.
Software Detail: An open-source Python library supporting popular model compression techniques on all mainstream deep learning frameworks (TensorFlow, PyTorch, ONNX Runtime, and MXNet).
Vulnerability Detail: The task/submit API in the Neural Solution component of Neural Compressor is vulnerable to this remote code execution (RCE) attack. The script_url parameter in the body of the POST request is not validated or filtered on the backend. As a result, attackers can manipulate this parameter to remotely execute arbitrary commands. It is vulnerable for versions before 2.5.0
Ref: https://huntr.com/bounties/877a517f-76ec-45be-8d3b-2b5ac471bfeb Ref: https://vulners.com/cvelist/CVELIST:CVE-2024-22476 Ref: https://drive.google.com/file/d/12DPdwmmTJhBBlX0tU-O21cidr4JGyrV7/view