{
  "threat_severity" : "Important",
  "public_date" : "2025-03-20T10:09:26Z",
  "bugzilla" : {
    "description" : "pytorch-lightning: Denial of Service in lightning-ai/pytorch-lightning",
    "id" : "2353669",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2353669"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-400",
  "details" : [ "A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the `/api/v1/state` endpoint of `LightningApp`. This issue occurs due to improper handling of unexpected state values, which results in the server shutting down.", "A flaw was found in PyTorch Lightning. This vulnerability allows an attacker to cause a denial of service via an unexpected POST request to the /api/v1/state endpoint, leading to improper handling of state values and server shutdown." ],
  "statement" : "Only Red Hat OpenShift AI 2.16 is impacted by this issue.",
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-codeflare-operator-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-8020\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8020\nhttps://huntr.com/bounties/8b642a78-2b80-4fb0-9b2f-8ba0ff37db6a" ],
  "name" : "CVE-2024-8020",
  "mitigation" : {
    "value" : "Implementing an input validation on the server-side for filter invalid POST requests to the /api/v1/state endpoint avoiding malicious requests.",
    "lang" : "en:us"
  },
  "csaw" : false
}