Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FlashAttention Symlink Attack via tarfile.extractall in hopper/setup.py
Vulnerability Description
FlashAttention through 2.8.3.post1, fixed in commit 0816ef1, contains a symlink attack vulnerability in the download_and_copy() function within hopper/setup.py that extracts NVIDIA toolchain archives without validating symlinks or filtering tar members. A local attacker can pre-plant a symlink in the predictable cache directory to redirect extracted binaries to an attacker-chosen location, enabling arbitrary file write with victim privileges during build time.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Vulnerability Type
在文件访问前对链接解析不恰当(链接跟随)
Vulnerability Title
Dao AI Lab FlashAttention 后置链接漏洞
Vulnerability Description
Dao AI Lab FlashAttention是Dao AI Lab团队开源的一个高效且节省内存的注意力机制实现工具。 Dao AI Lab FlashAttention 2.8.3.post1及之前版本存在后置链接漏洞,该漏洞源于hopper/setup.py中的download_and_copy()函数在提取NVIDIA toolchain归档时未验证symlink或过滤tar成员,本地攻击者可在可预测缓存目录中预置symlink,将提取的二进制文件重定向到攻击者选择的位置,从而在构建期间以受害者
CVSS Information
N/A
Vulnerability Type
N/A