CVE-2024-37902

Description

## Summary DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers 0.27.0. **Impacted versions: 0.1.0 through 0.27.0** ## Patches Patched Deep Learning Containers: [v1.1-djl-0.27.0-inf-cpu-full](https://github.com/aws/deep-learning-containers/releases/tag/v1.1-djl-0.27.0-inf-cpu-full) [v1.4-djl-0.27.0-inf-ds-0.12.6](https://github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-ds-0.12.6) [v1.4-djl-0.27.0-inf-trt-0.8.0](https://github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-trt-0.8.0) [v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1](https://github.com/aws/deep-learning-containers/releases/tag/v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1) Patched Library: [v0.28.0](https://github.com/deepjavalibrary/djl/releases/tag/v0.28.0)

How to fix CVE-2024-37902

To remediate CVE-2024-37902, upgrade the affected package to a fixed version below.

• —upgrade to 0.28.0 or later

Is CVE-2024-37902 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 0.1.0, < 0.28.0

CVSS scores

References (8)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-37902
• PATCHgithub.com/deepjavalibrary/djl
• WEBgithub.com/aws/deep-learning-containers/releases/tag/v1.1-djl-0.27.0-inf-cpu-full
• WEBgithub.com/aws/deep-learning-containers/releases/tag/v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1