SQL Injection Affecting neural-compressor package, versions [,2.5)
Snyk CVSS
Attack Complexity
Low
Scope
Changed
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-NEURALCOMPRESSOR-6673229
- published 24 Apr 2024
- disclosed 1 Apr 2024
- credit Unknown
How to fix?
Upgrade neural-compressor to version 2.5 or higher.
Overview
neural-compressor is a Repository of Intel® Neural Compressor
Affected versions of this package are vulnerable to SQL Injection allowing attackers to manipulate database fields like q_model_path, enabling unauthorized downloads from the host system. This flaw also made the Neural Solution component susceptible to remote code execution (RCE) by exploiting unvalidated script_url parameters in POST requests.