CVE-2024-52803

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Nov 21, 2024
CWE ID 79

Summary

CVE-2024-52803 is a critical remote OS command injection vulnerability affecting LLama Factory, a tool used for fine-tuning large language models. The issue arises from the insecure usage of Python's `Popen` function with `shell=True` during the training process. Malicious actors can exploit this vulnerability by providing unsanitized user input, allowing them to execute arbitrary OS commands on the host system. This vulnerability poses a significant risk and requires immediate remediation. Users are advised to upgrade to version 0.9.1, which addresses this issue.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share