Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-s5xv-w8ne-nuf3

Summary

A number of releases of ultralytics contained malicious crypto miner software.
Ultralytics has identified a supply chain attack
affecting affecting multiple versions of the ultralytics package.
The compromised versions contained unauthorized code that
downloaded and executed cryptocurrency mining software
when instantiating YOLO models.
This code was injected into the PyPI release artifacts and was not present
in the public GitHub repository.

Aliases

alias	PYSEC-2024-154

Fixed_packages

url	pkg:pypi/ultralytics@8.3.47
purl	pkg:pypi/ultralytics@8.3.47
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/ultralytics@8.3.47

Affected_packages

url pkg:pypi/ultralytics@8.3.41

purl pkg:pypi/ultralytics@8.3.41

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-s5xv-w8ne-nuf3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/ultralytics@8.3.41

url pkg:pypi/ultralytics@8.3.42

purl pkg:pypi/ultralytics@8.3.42

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-s5xv-w8ne-nuf3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/ultralytics@8.3.42

url pkg:pypi/ultralytics@8.3.43

purl pkg:pypi/ultralytics@8.3.43

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-s5xv-w8ne-nuf3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/ultralytics@8.3.43

url pkg:pypi/ultralytics@8.3.44

purl pkg:pypi/ultralytics@8.3.44

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-s5xv-w8ne-nuf3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/ultralytics@8.3.44

url pkg:pypi/ultralytics@8.3.45

purl pkg:pypi/ultralytics@8.3.45

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-s5xv-w8ne-nuf3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/ultralytics@8.3.45

url pkg:pypi/ultralytics@8.3.46

purl pkg:pypi/ultralytics@8.3.46

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-s5xv-w8ne-nuf3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/ultralytics@8.3.46

References

reference_url

https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

url

https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection

reference_url

https://github.com/ultralytics/ultralytics/issues/18027

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

url

https://github.com/ultralytics/ultralytics/issues/18027

reference_url

https://github.com/ultralytics/ultralytics/pull/18020#issuecomment-2525180194

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

url

https://github.com/ultralytics/ultralytics/pull/18020#issuecomment-2525180194

reference_url

https://github.com/ultralytics/ultralytics/pull/18052

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

url

https://github.com/ultralytics/ultralytics/pull/18052

reference_url

https://github.com/ultralytics/ultralytics/pull/18111

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

url

https://github.com/ultralytics/ultralytics/pull/18111

reference_url

https://github.com/ultralytics/ultralytics/releases/tag/v8.3.48

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

url

https://github.com/ultralytics/ultralytics/releases/tag/v8.3.48

reference_url

https://inspector.pypi.io/project/ultralytics/8.3.41/packages/d0/99/13d92174aa6a470d348a95e31164769f2cdf77838ea3c3e3fd476285777d/ultralytics-8.3.41-py3-none-any.whl/ultralytics/utils/downloads.py#line.284

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

url

Weaknesses

Exploits

Severity_range_score 8.6 - 8.7

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s5xv-w8ne-nuf3

Vulnerability Instance