{"data":{"id":"1e895207-2487-4440-bf75-87b53725236f","title":"CVE-2024-2912: An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sendi","summary":"BentoML (a framework for building AI applications) contains an insecure deserialization vulnerability that lets attackers run arbitrary commands on servers by sending specially crafted requests. When the framework deserializes (converts stored data back into usable objects) a malicious object, it automatically executes hidden OS commands, giving attackers control of the server.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-2912","publishedAt":"2024-04-16T04:15:11.427Z","cveId":"CVE-2024-2912","cweIds":["CWE-1188"],"cvssScore":"10","cvssSeverity":"critical","severity":"critical","attackType":["model_poisoning"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["BentoML"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.07494,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}