We use cookies to improve your experience on our site.
AVID-2026-R0935
Description
Code Injection in pytorchlightning/pytorch-lightning (CVE-2022-0845)
Details
Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.
Reason for inclusion in AVID: CVE-2022-0845 describes a code injection vulnerability in the PyTorch Lightning library (pytorch-lightning) prior to version 1.6.0. PyTorch Lightning is a widely-used framework in AI model development and training, making this a software supply-chain issue for general-purpose AI systems. The vulnerability is clearly a security vulnerability (code execution risk) with CVSS metrics provided, and the report includes references and a patch commit, indicating sufficient evidence for curation.
References
- NVD entry
- https://huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2a
- https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae
Affected or Relevant Artifacts
- Developer: pytorchlightning
- Deployer: pytorchlightning
- Artifact Details:
| Type | Name |
|---|---|
| System | pytorchlightning/pytorch-lightning |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L |
| Base Score | 7.3 |
| Base Severity | 🔴 High |
| Attack Vector | LOCAL |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🟢 Low |
CWE
| ID | Description |
|---|---|
| CWE-94 | CWE-94 Improper Control of Generation of Code |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-03-05
- Version: 0.3.3
- AVID Entry