Improper input validation in some Intel(R) Neural Compressor software before version 2.5.0 may allow an unauthenticated user to potentially enable escalation of privilege via remote access.
The flaw consists of improper input validation (CWE-20), meaning that the software does not properly verify the correctness of data received from the network before processing it. An attacker can send specially crafted data to the vulnerable system without the need for authentication. The result is the ability to escalate privileges in a context that goes beyond the scope of the application itself (Scope: Changed vector in CVSS), indicating potential impact on the entire operating system or other components of the environment.
An unauthenticated remote attacker can gain privilege escalation, leading to complete compromise of confidentiality, integrity, and availability of the system on which the vulnerable software runs.
Intel Neural Compressor software should be updated to version 2.5.0 or later. Detailed information is available in the Intel security advisory at: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01109.html
Intel Neural Compressor in versions prior to 2.5.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H