CVE-2024-37902
Published: 17 June 2024
Summary
CVE-2024-37902 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Host Software Binary (T1554); ranked in the top 47.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Deep Learning Frameworks; in the Supply Chain and Deployment risk domain; MITRE ATLAS techniques in scope: AI Supply Chain Compromise (AML.T0010), External Harms (AML.T0048).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2188
Vulnerability details
DeepJavaLibrary(DJL) is an Engine-Agnostic Deep Learning Framework in Java. DJL versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched…
more
in DJL Large Model Inference containers version 0.27.0. Users are advised to upgrade.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Deep Learning Frameworks
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- DeepJavaLibrary (DJL) is explicitly described as an 'Engine-Agnostic Deep Learning Framework in Java,' matching the Deep Learning Frameworks category. The vulnerability involves improper handling of absolute path archived artifacts, allowing file overwrites, which is a zip-slip-like issue in model/artifact loading.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary overwriting of system files via absolute path traversal in archived artifacts processed by DJL, facilitating compromise of host software binaries (T1554), disabling or modifying security tools (T1562.001), creation or modification of system processes/services (T1543), and exploitation for privilege escalation (T1068).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.