Closed frkngksl closed 1 week ago
One point that I should mention is, neural-compressor webserver works multi-threaded. Therefore, sending a sleep command to detect the vulnerability doesn't work because injected command works in another thread (different than the threat that sends the response). That's why I didn't add a control for cases which callback server is not available.
Hi @leonardo-doyensec ,
Thank you for your comments. I guess I fixed all your reviews according to your advices. Can you review the changes again please?
Sent the last change too @leonardo-doyensec
LGTM - Approved @maoning we can merge this. Moreover we can also merge the testbed
Reviewer: Leonardo, Doyensec Plugin: CVE-2024-22476 Detector - OS Command Injection in Intel Neural Compressor Feedback: The overall quality is decent. The security testbed was easy to deploy, but the steps to trigger manually the vulnerability were missing at first. The plugin was lacking a fingerprinting phase and some minor aspect of formatting went overlooked. The contributor was really fast to address all the issues. Drawback: None.
Hi @tooryx ,
This is the plugin PR that resolves #494
Vulnerable and Fixed Environments are here: https://github.com/google/security-testbeds/pull/63