CVE-2023-38673
os.system in fs.py can lead to command injection. The PoC is as follows:
from paddle.distributed.fleet.utils import LocalFS
client = LocalFS()
client.mkdirs("hi;pwd;")We have patched the issue in commit 2bfe358043096fdba9e2a4cf0f5740102b37fd8f. The fix will be included in PaddlePaddle 2.5.0.
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
This vulnerability has been reported by Xiaochen Guo from Huazhong University of Science and Technology.