CVE-2024-2914
Published: 06 June 2024
Summary
CVE-2024-2914 is a high-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Djl Deep Java Library. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 24.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Deep Learning Frameworks; in the Data-Related Vulnerabilities risk domain; MITRE ATLAS techniques in scope: AI Supply Chain Compromise (AML.T0010), Exfiltration via AI Inference API (AML.T0024), External Harms (AML.T0048).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-27857
Vulnerability details
A TarSlip vulnerability exists in the deepjavalibrary/djl, affecting version 0.26.0 and fixed in version 0.27.0. This vulnerability allows an attacker to manipulate file paths within tar archives to overwrite arbitrary files on the target system. Exploitation of this vulnerability could…
more
lead to remote code execution, privilege escalation, data theft or manipulation, and denial of service. The vulnerability is due to improper validation of file paths during the extraction of tar files, as demonstrated in multiple occurrences within the library's codebase, including but not limited to the files_util.py and extract_imagenet.py scripts.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Deep Learning Frameworks
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- DeepJavaLibrary (DJL) is an engine-agnostic deep learning framework for Java, supporting multiple DL engines like TensorFlow and PyTorch. The vulnerability is in its codebase, including data extraction scripts like extract_imagenet.py, confirming its AI relevance.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
TarSlip vulnerability allows path traversal in tar extraction to overwrite arbitrary files, enabling exploitation for privilege escalation (T1068), data destruction via overwrites (T1485), and stored data manipulation (T1565.001).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.