Path traversal via malicious entry point name in pip wheel installation allows arbitrary file overwrite
Summary
Path traversal via malicious entry point name in pip wheel installation allows arbitrary file overwrite. Red Hat rates this important (CVSS 8). Weakness: CWE-22. Affected package(s): rhoai/odh-th06-cuda130-torch210-py312-rhel9:1782136276, rhoai/odh-training-rocm62-torch25-py311-rhel9:1782132236, rhoai/odh-th06-cpu-torch210-py312-rhel9:1782135464, rhoai/odh-training-cuda128-torch29-py312-rhel9:1782132240, rhai/base-image-rocm-rhel9:1782914721, rhai/base-image-spyre-rhel9:1782916020. Resolved in Red Hat advisory RHSA-2026:34748 — update the affected packages (`sudo dnf update`).
- rhoai/odh-th06-cuda130-torch210-py312-rhel9:1782136276
- rhoai/odh-training-rocm62-torch25-py311-rhel9:1782132236
- rhoai/odh-th06-cpu-torch210-py312-rhel9:1782135464
- rhoai/odh-training-cuda128-torch29-py312-rhel9:1782132240
- rhai/base-image-rocm-rhel9:1782914721
- rhai/base-image-spyre-rhel9:1782916020
- rhai/base-image-cpu-rhel9:1782915416
- ansible-automation-platform-26/de-minimal-rhel9:1782711769
- rhai/base-image-spyre-rhel9:1782928984
- rhai/base-image-cuda-rhel9:1782929069
- rhoai/odh-mlserver-rhel9:1782726504
- rhai/base-image-rocm-6.4-rhel9:1782914644
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
- RHSA-2026:34748
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Mitigation checklist
- Update the affected package(s) to the fixed version shipped in RHSA-2026:34748 (`sudo dnf update` / `yum update`).
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.