{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8020", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-08-20T17:13:44.574Z", "datePublished": "2025-03-20T10:09:26.822Z", "dateUpdated": "2025-10-15T12:49:53.948Z"}, "containers": {"cna": {"title": "Denial of Service in lightning-ai/pytorch-lightning", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2025-10-15T12:49:53.948Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the `/api/v1/state` endpoint of `LightningApp`. This issue occurs due to improper handling of unexpected state values, which results in the server shutting down."}], "affected": [{"vendor": "lightning-ai", "product": "lightning-ai/pytorch-lightning", "versions": [{"version": "unspecified", "status": "affected", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/8b642a78-2b80-4fb0-9b2f-8ba0ff37db6a"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-248 Uncaught Exception", "cweId": "CWE-248"}]}], "source": {"advisory": "8b642a78-2b80-4fb0-9b2f-8ba0ff37db6a", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-20T17:53:50.462186Z", "id": "CVE-2024-8020", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T18:38:59.047Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8020", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-20T17:53:50.462186Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T17:53:52.008Z"}}], "cna": {"title": "Denial of Service in lightning-ai/pytorch-lightning", "source": {"advisory": "8b642a78-2b80-4fb0-9b2f-8ba0ff37db6a", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "lightning-ai", "product": "lightning-ai/pytorch-lightning", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/8b642a78-2b80-4fb0-9b2f-8ba0ff37db6a"}], "descriptions": [{"lang": "en", "value": "A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the `/api/v1/state` endpoint of `LightningApp`. This issue occurs due to improper handling of unexpected state values, which results in the server shutting down."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2025-03-20T10:09:26.822Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8020", "state": "PUBLISHED", "dateUpdated": "2025-03-20T18:38:59.047Z", "dateReserved": "2024-08-20T17:13:44.574Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2025-03-20T10:09:26.822Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lightningai:pytorch_lightning:2.3.2:*:*:*:*:python:*:*", "matchCriteriaId": "9DAFEB66-8316-421A-A6DC-9BF552A7AB6B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the `/api/v1/state` endpoint of `LightningApp`. This issue occurs due to improper handling of unexpected state values, which results in the server shutting down."}, {"lang": "es", "value": "Una vulnerabilidad en lightning-ai/pytorch-lightning versi\u00f3n 2.3.2 permite a un atacante provocar una denegaci\u00f3n de servicio mediante el env\u00edo de una solicitud POST inesperada al endpoint `/api/v1/state` de `LightningApp`. Este problema se produce debido a la gesti\u00f3n incorrecta de valores de estado inesperados, lo que provoca el apagado del servidor."}], "id": "CVE-2024-8020", "lastModified": "2025-10-15T13:15:53.443", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2025-03-20T10:15:39.137", "references": [{"source": "security@huntr.dev", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/8b642a78-2b80-4fb0-9b2f-8ba0ff37db6a"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-248"}], "source": "security@huntr.dev", "type": "Primary"}]}

{"bugzilla": {"description": "pytorch-lightning: Denial of Service in lightning-ai/pytorch-lightning", "id": "2353669", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353669"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-400", "details": ["A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the `/api/v1/state` endpoint of `LightningApp`. This issue occurs due to improper handling of unexpected state values, which results in the server shutting down.", "A flaw was found in PyTorch Lightning. This vulnerability allows an attacker to cause a denial of service via an unexpected POST request to the /api/v1/state endpoint, leading to improper handling of state values and server shutdown."], "mitigation": {"lang": "en:us", "value": "Implementing an input validation on the server-side for filter invalid POST requests to the /api/v1/state endpoint avoiding malicious requests."}, "name": "CVE-2024-8020", "package_state": [{"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-codeflare-operator-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2025-03-20T10:09:26Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-8020\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8020\nhttps://huntr.com/bounties/8b642a78-2b80-4fb0-9b2f-8ba0ff37db6a"], "statement": "Only Red Hat OpenShift AI 2.16 is impacted by this issue.", "threat_severity": "Important"}