Insecure Deserialization Vulnerability in BentoML Allows Remote Code Execution
CVE-2024-2912
What is CVE-2024-2912?
An insecurity related to deserialization has been identified in the BentoML framework, which permits remote code execution via a specifically crafted POST request. This vulnerability can be exploited when a maliciously constructed serialized object is sent to a legitimate endpoint within the BentoML application. Upon deserialization, this object can execute arbitrary operating system commands, thereby allowing attackers to gain unauthorized access and control over the server hosting the BentoML framework. Such flaws highlight the critical importance of handling serialized objects securely to safeguard against potential exploitation and data breaches.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
bentoml/bentoml < 1.2.5
News Articles
prophaze.comCVE-2024-2912CVE-2024-2912 : BENTOML FRAMEWORK UP TO 1.2.4 POST REQUEST INSECURE DEFAULT INITIALIZATION OF RESOURCE - Cloud WAF
CVE-2024-2912 : An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request.
References
EPSS Score
7% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- ๐ฐ
First article discovered by prophaze.com
Vulnerability published
Vulnerability Reserved