adamoswald / face Goto Github PK

Vulnerable Library - adabound-0.0.5-py3-none-any.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-RZUGWE-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-RZUGWE-requirements.txt

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2022-45907

Vulnerable Library - torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl

Tensors and Dynamic neural networks in Python with strong GPU acceleration

Library home page: https://files.pythonhosted.org/packages/7a/fb/b1b11ae95ffa7099ca2e60ed5945e56130cc8740208f42aa77f17e03ab3c/torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-RZUGWE-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-RZUGWE-requirements.txt

Dependency Hierarchy:

• adabound-0.0.5-py3-none-any.whl (Root Library)
  • ❌ torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.

Publish Date: 2022-11-26

URL: CVE-2022-45907

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Step up your Open Source Security Game with Mend here

Vulnerable Library - yargs-5.0.0.tgz

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2020-7608

Vulnerable Library - yargs-parser-3.2.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-3.2.0.tgz

Dependency Hierarchy:

• yargs-5.0.0.tgz (Root Library)
  • ❌ yargs-parser-3.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution (yargs-parser): 5.0.0-security.0

Direct dependency fix Resolution (yargs): 7.0.0

Step up your Open Source Security Game with Mend here

Dockerfile.cpu

Dockerfile.gpu

• nvidia/cuda 12.1.0-runtime-ubuntu18.04

SwapNet-jwyang-roi-version/Dockerfile

• nvidia/cuda 10.2-cudnn7-devel-ubuntu18.04

.github/workflows/action-config.yml

• yumemi-inc/action-config v0.1.0

.github/workflows/action-gobrew.yml

• kevincobain2000/action-gobrew v1
• actions/checkout v3
• kevincobain2000/action-gobrew v1

.github/workflows/action-pylint.yml

• gabriel-milan/action-pylint v1
• actions/checkout v3
• gabriel-milan/action-pylint v1

.github/workflows/action-pypi-release.yml

• stone-home/action-pypi-release v1.0.0
• actions/setup-python v4
• mathieudutour/github-tag-action v6.1
• pypa/gh-action-pypi-publish v1.8.5
• ncipollo/release-action v1.12.0

.github/workflows/action-xcode-staple.yml

• BoundfoxStudios/action-xcode-staple v1
• BoundfoxStudios/action-xcode-staple v1

.github/workflows/actions-pipenv.yml

• tiagovrtr/actions-pipenv v1
• actions/checkout v3
• actions/setup-python v4
• tiagovrtr/actions-pipenv v1
• actions/checkout v3
• actions/setup-python v4

.github/workflows/actions-poetry.yml

• abatilo/actions-poetry v2.3.0
• actions/checkout v3
• actions/setup-python v4
• abatilo/actions-poetry v2
• actions/checkout v3
• actions/setup-python v4
• amannn/action-semantic-pull-request v5.2.0

.github/workflows/api-json-action.yml

• nathanclevenger/api-json-action v0.2.0
• actions/checkout v3
• nathanclevenger/api-json-action v1
• stefanzweifel/git-auto-commit-action v4

.github/workflows/azure-webapps-python.yml

• actions/checkout v3
• actions/setup-python v4.6.0
• actions/upload-artifact v3
• actions/download-artifact v3
• azure/webapps-deploy v2

.github/workflows/c-cpp.yml

• actions/checkout v3

.github/workflows/cccc-action.yml

• sarnold/cccc-action 0.3
• actions/checkout v3
• actions/upload-artifact v3
• actions/checkout v3

.github/workflows/check-python-version.yml

• samuelcolvin/check-python-version v3
• samuelcolvin/check-python-version v3

.github/workflows/cmake.yml

• actions/checkout v3

.github/workflows/codacy.yml

• actions/checkout v3
• codacy/codacy-analysis-cli-action db33ad5cfab49143adf0db6e890cf4bb9fb37b1c
• github/codeql-action v2

.github/workflows/codenamize-action.yml

• reallyreallyreal/codenamize-action v1.1.0

.github/workflows/codeql.yml

• actions/checkout v3
• github/codeql-action v2
• github/codeql-action v2
• github/codeql-action v2

.github/workflows/custom-interactions.yml

• bartick/custom-interactions v1
• bartick/custom-interactions v1

.github/workflows/datadog-synthetics.yml

• actions/checkout v3
• DataDog/synthetics-ci-github-action 431d042ee366b9468e65570000e67f1846104672

.github/workflows/dependency-review.yml

• actions/checkout v3
• actions/dependency-review-action v3

.github/workflows/django.yml

• actions/checkout v3
• actions/setup-python v4

.github/workflows/dotnet-desktop.yml

• actions/checkout v3
• actions/setup-dotnet v3
• microsoft/setup-msbuild v1.3.1
• actions/upload-artifact v3

.github/workflows/dotnet.yml

• actions/checkout v3
• actions/setup-dotnet v3

.github/workflows/foresight-workflow-kit-action.yaml

• runforesight/foresight-workflow-kit-action v1
• runforesight/foresight-test-kit-action v1

.github/workflows/foresight-workflow-kit-action.yml

• runforesight/foresight-workflow-kit-action v1
• runforesight/foresight-test-kit-action v1

.github/workflows/generate.yaml

• nathanclevenger/api-json-action v0.2.0
• actions/checkout v3
• nathanclevenger/api-json-action v1
• stefanzweifel/git-auto-commit-action v4

.github/workflows/get-version-from-package-json.yml

• polyseam/get-version-from-package-json 1.0.0
• actions/checkout v3

.github/workflows/gitguardian.yml

• actions/checkout v3

.github/workflows/go-ossf-slsa3-publish.yml

• slsa-framework/slsa-github-generator v1.5.0

.github/workflows/go.yml

• actions/checkout v3
• actions/setup-go v4

.github/workflows/gradle-publish.yml

• actions/checkout v3
• actions/setup-java v3
• gradle/gradle-build-action 9cf99034d287025d4ee4838498a346d99521aaa4
• gradle/gradle-build-action 9cf99034d287025d4ee4838498a346d99521aaa4

.github/workflows/gradle.yml

• actions/checkout v3
• actions/setup-java v3
• gradle/gradle-build-action 9cf99034d287025d4ee4838498a346d99521aaa4

.github/workflows/ios.yml

• actions/checkout v3

.github/workflows/jekyll-docker.yml

• actions/checkout v3

.github/workflows/json-to-file.yml

• devops-actions/json-to-file v1.0.3

.github/workflows/manual.yml

.github/workflows/node.js.yml

• actions/checkout v3
• actions/setup-node v3

.github/workflows/npm-grunt.yml

• actions/checkout v3
• actions/setup-node v3

.github/workflows/npm-gulp.yml

• actions/checkout v3
• actions/setup-node v3

.github/workflows/objective-c-xcode.yml

• actions/checkout v3

.github/workflows/pep8-action.yml

• quentinguidee/pep8-action v2.0.13-dev
• quentinguidee/pep8-action v1

.github/workflows/php.yml

• actions/checkout v3
• actions/cache v3

.github/workflows/pip-install.yml

• logikal-io/pip-install v1.0.0

.github/workflows/pylint.yml

• actions/checkout v3
• actions/setup-python v4

.github/workflows/pytest.yml

• actions/checkout v3
• actions/setup-python v4

.github/workflows/python-app.yml

• actions/checkout v3
• actions/setup-python v4

.github/workflows/python-package-conda.yml

• actions/checkout v3
• actions/setup-python v4

.github/workflows/python-package.yml

• actions/checkout v3
• actions/setup-python v4

.github/workflows/python-publish.yml

• actions/checkout v3
• actions/setup-python v4
• pypa/gh-action-pypi-publish 5a085bf49e449ba94cc551efdc03b14b2be3788c

.github/workflows/r.yml

• actions/checkout v3
• r-lib/actions 788d7d59f05b5ac5b9cf4630428a2502514e98fb

.github/workflows/ruby.yml

• actions/checkout v3
• ruby/setup-ruby v1.146.0@55283cc23133118229fd3f97f9336ee23a179fcf

.github/workflows/scala.yml

• actions/checkout v3
• actions/setup-java v3

.github/workflows/setup-python.yml

• actions/setup-python v4.6.0

.github/workflows/setup-swift-beta.yml

• SavchenkoValeriy/setup-swift v1.0.0
• swift-actions/setup-swift v1
• swift-actions/setup-swift v1
• swift-actions/setup-swift v1

.github/workflows/stackaid-dependency-generator.yml

• stackaid/generate-stackaid-json v1.9
• actions/checkout v3
• actions/setup-go v4
• stackaid/generate-stackaid-json v1.9

.github/workflows/super-linter.yml

• actions/checkout v3
• github/super-linter v5

.github/workflows/swift.yml

• actions/checkout v3

.github/workflows/test-pypy.yml

• actions/checkout v3
• actions/checkout v3
• actions/checkout v3

.github/workflows/test-python.yml

• actions/checkout v3
• actions/checkout v3
• actions/checkout v3
• actions/checkout v3
• actions/checkout v3
• actions/checkout v3

.github/workflows/update-ios-bundle-identifier-action.yml

• damienaicheh/update-ios-bundle-identifier-action v1.0.0
• damienaicheh/update-ios-bundle-identifier-action v1.0.0

.github/workflows/update-ios-version-info-plist-action.yml

• damienaicheh/update-ios-version-info-plist-action v1.1.0
• damienaicheh/update-ios-version-info-plist-action v1.1.0

.github/workflows/update-updates-release-channel-expo-plist-action.yml

• Brune04/update-updates-release-channel-expo-plist-action v1.3
• Brune04/update-ios-version-info-plist-action v1.3

.github/workflows/webpack.yml

• actions/checkout v3
• actions/setup-node v3

.github/workflows/workflow.yml

• actions/checkout v3
• actions/setup-node v3

.github/workflows/yaml-to-env-action.yml

• dcarbone/yaml-to-env-action v2.1.1
• actions/checkout v3
• dcarbone/yaml-to-env-action v2.1.1

PRNet-master/requirements.txt

• numpy >=1.14.3

docs/sphinx_requirements.txt

requirements.txt

setup.py

• pexpect >=4.8.0
• pywinpty ==2.0.10

parametric-face-image-generator-2.1.1/build.sbt

• scala 2.13.10
• ch.unibas.cs.gravis:scalismo-faces 0.90.0
• org.scalatest:scalatest 3.2.15
• org.rogach:scallop 4.1.0

parametric-face-image-generator-2.1.1/project/assembly.sbt

• com.eed3si9n:sbt-assembly 2.1.1

parametric-face-image-generator-2.1.1/project/build.properties

• sbt/sbt 1.8.2

Vulnerable Library - pytorch-1.2.0-cuda92py37hd3e106c_0.tar.bz2

PyTorch is an optimized tensor library for deep learning using GPUs and CPUs.

Library home page: https://api.anaconda.org/download/main/pytorch/1.2.0/linux-64/pytorch-1.2.0-cuda92py37hd3e106c_0.tar.bz2

Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/pytorch-1.2.0-py3.7_cuda10.0.130_cudnn7.6.2_0.tar.bz2,/r/anaconda3/pkgs/pytorch-1.2.0-py3.7_cuda10.0.130_cudnn7.6.2_0.tar.bz2

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2022-45907

Vulnerable Library - pytorch-1.2.0-cuda92py37hd3e106c_0.tar.bz2

PyTorch is an optimized tensor library for deep learning using GPUs and CPUs.

Library home page: https://api.anaconda.org/download/main/pytorch/1.2.0/linux-64/pytorch-1.2.0-cuda92py37hd3e106c_0.tar.bz2

Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/pytorch-1.2.0-py3.7_cuda10.0.130_cudnn7.6.2_0.tar.bz2,/r/anaconda3/pkgs/pytorch-1.2.0-py3.7_cuda10.0.130_cudnn7.6.2_0.tar.bz2

Dependency Hierarchy:

• ❌ pytorch-1.2.0-cuda92py37hd3e106c_0.tar.bz2 (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.

Publish Date: 2022-11-26

URL: CVE-2022-45907

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Step up your Open Source Security Game with Mend here

Vulnerable Library - react-native-svg-12.1.0.tgz

Path to vulnerable library: /module/sprites-as-a-service-0.5.0/frontend/node_modules/nth-check/package.json

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2021-3803

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /module/sprites-as-a-service-0.5.0/frontend/package.json

Path to vulnerable library: /module/sprites-as-a-service-0.5.0/frontend/node_modules/nth-check/package.json

Dependency Hierarchy:

• react-native-svg-12.1.0.tgz (Root Library)
  • css-select-2.1.0.tgz
    • ❌ nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-17

Fix Resolution (nth-check): 2.0.1

Direct dependency fix Resolution (react-native-svg): 12.3.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - archiver-2.1.1.tgz

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2021-43138

Vulnerable Library - async-2.6.1.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.1.tgz

Dependency Hierarchy:

• archiver-2.1.1.tgz (Root Library)
  • ❌ async-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (archiver): 4.0.2

Step up your Open Source Security Game with Mend here

Vulnerable Library - protobuf-3.7.1-cp37-cp37m-manylinux1_x86_64.whl

Protocol Buffers

Library home page: https://files.pythonhosted.org/packages/19/a5/ac51df34cdf4739574492ed4903c11dadd72a7bec4a31bb0496f4f50fc19/protobuf-3.7.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt

Path to vulnerable library: /module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda,/module/wombopy-main,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2022-1941

Vulnerable Library - protobuf-3.7.1-cp37-cp37m-manylinux1_x86_64.whl

Protocol Buffers

Library home page: https://files.pythonhosted.org/packages/19/a5/ac51df34cdf4739574492ed4903c11dadd72a7bec4a31bb0496f4f50fc19/protobuf-3.7.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt

Path to vulnerable library: /module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda,/module/wombopy-main,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt

Dependency Hierarchy:

• ❌ protobuf-3.7.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Publish Date: 2022-09-22

URL: CVE-2022-1941

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cloud.google.com/support/bulletins#GCP-2022-019

Release Date: 2022-09-22

Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6

Step up your Open Source Security Game with Mend here

Vulnerable Library - numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/6d/ad/ff3b21ebfe79a4d25b4a4f8e5cf9fd44a204adb6b33c09010f566f51027a/numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /module/dalle-mini-0.1.1

Path to vulnerable library: /module/dalle-mini-0.1.1,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/PRNet-master/requirements.txt,/module/_tests_requirements.txt,/module/runx-0.0.5/requirements.txt,/module/openai-python-0.22.1,/docs/sphinx_requirements.txt,/requirements.txt,/docs/sphinx_requirements.txt,/module/Jupyter-master/requirements.txt,/module/DALLE2-pytorch-1.10.6,/module/MM-RealSR-1.0.0/requirements.txt,/module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/extension-cpp-master/requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face,/module,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/requirements.txt,/module/wombopy-main,/module/runx-0.0.5/requirements.txt,/module/MM-RealSR-1.0.0/requirements.txt,/requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/Jupyter-master/requirements.txt,/module/openai-python-0.22.1/public,/module/extension-cpp-master/cpp,/module/Bobber-6.3.1,/module/PRNet-master/requirements.txt,/module/imagen-pytorch-1.11.12,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/runx-0.0.5,/module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/extension-cpp-master/cuda,/module/paperspace-python-0.2.0,/module/PRNet-master/requirements.txt,/module/MM-RealSR-1.0.0

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2021-34141

Vulnerable Library - numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/6d/ad/ff3b21ebfe79a4d25b4a4f8e5cf9fd44a204adb6b33c09010f566f51027a/numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /module/dalle-mini-0.1.1

Path to vulnerable library: /module/dalle-mini-0.1.1,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/PRNet-master/requirements.txt,/module/_tests_requirements.txt,/module/runx-0.0.5/requirements.txt,/module/openai-python-0.22.1,/docs/sphinx_requirements.txt,/requirements.txt,/docs/sphinx_requirements.txt,/module/Jupyter-master/requirements.txt,/module/DALLE2-pytorch-1.10.6,/module/MM-RealSR-1.0.0/requirements.txt,/module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/extension-cpp-master/requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face,/module,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/requirements.txt,/module/wombopy-main,/module/runx-0.0.5/requirements.txt,/module/MM-RealSR-1.0.0/requirements.txt,/requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/Jupyter-master/requirements.txt,/module/openai-python-0.22.1/public,/module/extension-cpp-master/cpp,/module/Bobber-6.3.1,/module/PRNet-master/requirements.txt,/module/imagen-pytorch-1.11.12,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/runx-0.0.5,/module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/extension-cpp-master/cuda,/module/paperspace-python-0.2.0,/module/PRNet-master/requirements.txt,/module/MM-RealSR-1.0.0

Dependency Hierarchy:

• ❌ numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141

Publish Date: 2021-12-17

URL: CVE-2021-34141

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141

Release Date: 2021-12-17

Fix Resolution: numpy - 1.22.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2022-41894

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. The reference kernel of the CONV_3D_TRANSPOSE TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result. Instead of data_ptr += num_channels; it should be data_ptr += output_num_channels; as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels. An attacker can craft a model with a specific number of input channels. It is then possible to write specific values through the bias of the layer outside the bounds of the buffer. This attack only works if the reference kernel resolver is used in the interpreter. We have patched the issue in GitHub commit 72c0bdcb25305b0b36842d746cc61d72658d2941. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41894

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41894

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41900

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow 2.10.1.

Publish Date: 2022-11-18

URL: CVE-2022-41900

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41900

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41883

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. When ops that have specified input sizes receive a differing number of inputs, the executor will crash. We have patched the issue in GitHub commit f5381e0e10b5a61344109c1b7c174c68110f7629. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41883

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41883

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.10.1, 2.11.0, tensorflow-cpu - 2.10.1, 2.11.0, tensorflow-gpu - 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41880

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. When the BaseCandidateSamplerOp function receives a value in true_classes larger than range_max, a heap oob read occurs. We have patched the issue in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41880

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41880

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41895

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. If MirrorPadGrad is given outsize input paddings, TensorFlow will give a heap OOB error. We have patched the issue in GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41895

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41895

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41884

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. We have patched the issue in GitHub commit 2b56169c16e375c521a3bc8ea658811cc0793784. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41884

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41884

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41893

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. If tf.raw_ops.TensorListResize is given a nonscalar value for input size, it results CHECK fail which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41893

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41893

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41898

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. If SparseFillEmptyRowsGrad is given empty inputs, TensorFlow will crash. We have patched the issue in GitHub commit af4a6a3c8b95022c351edae94560acc61253a1b8. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41898

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41898

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41887

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. tf.keras.losses.poisson receives a y_pred and y_true that are passed through functor::mul in BinaryOp. If the resulting dimensions overflow an int32, TensorFlow will crash due to a size mismatch during broadcast assignment. We have patched the issue in GitHub commit c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1 and 2.9.3, as these are also affected and still in supported range. However, we will not cherrypick this commit into TensorFlow 2.8.x, as it depends on Eigen behavior that changed between 2.8 and 2.9.

Publish Date: 2022-11-18

URL: CVE-2022-41887

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41887

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41888

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. When running on GPU, tf.image.generate_bounding_box_proposals receives a scores input that must be of rank 4 but is not checked. We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41888

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41888

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41899

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. Inputs dense_features or example_state_data not of rank 2 will trigger a CHECK fail in SdcaOptimizer. We have patched the issue in GitHub commit 80ff197d03db2a70c6a111f97dcdacad1b0babfa. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41899

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41899

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41896

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. If ThreadUnsafeUnigramCandidateSampler is given input filterbank_channel_count greater than the allowed max size, TensorFlow will crash. We have patched the issue in GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41896

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41896

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41886

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. When tf.raw_ops.ImageProjectiveTransformV2 is given a large output shape, it overflows. We have patched the issue in GitHub commit 8faa6ea692985dbe6ce10e1a3168e0bd60a723ba. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41886

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41886

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41897

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. If FractionMaxPoolGrad is given outsize inputs row_pooling_sequence and col_pooling_sequence, TensorFlow will crash. We have patched the issue in GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41897

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41897

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41911

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a const char* array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from char to bool are undefined if the char is not 0 or 1, so sanitizers/fuzzers will crash. The issue has been patched in GitHub commit 1be74370327. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1, TensorFlow 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41911

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41911

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41889

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a nullptr, which is not caught. An example can be seen in tf.compat.v1.extract_volume_patches by passing in quantized tensors as input ksizes. We have patched the issue in GitHub commit e9e95553e5411834d215e6770c81a83a3d0866ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41889

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41889

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41901

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. An input sparse_matrix that is not a matrix with a shape with rank 0 will trigger a CHECK fail in tf.raw_ops.SparseMatrixNNZ. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41901

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41901

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41907

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. When tf.raw_ops.ResizeNearestNeighborGrad is given a large size input, it overflows. We have patched the issue in GitHub commit 00c821af032ba9e5f5fa3fe14690c8d28a657624. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41907

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41907

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - Pillow-9.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c3/56/bdf1b802e111050e3fe11150e09d2e220478cf5af4256e7fa628663fa08f/Pillow-9.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/docs/sphinx_requirements.txt,/tmp/ws-scm/face

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2022-45198

Vulnerable Library - Pillow-9.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c3/56/bdf1b802e111050e3fe11150e09d2e220478cf5af4256e7fa628663fa08f/Pillow-9.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ Pillow-9.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).

Publish Date: 2022-11-14

URL: CVE-2022-45198

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-11-14

Fix Resolution: Pillow - 9.2.0

Step up your Open Source Security Game with Mend here

CVE-2022-45199

Vulnerable Library - Pillow-9.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c3/56/bdf1b802e111050e3fe11150e09d2e220478cf5af4256e7fa628663fa08f/Pillow-9.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ Pillow-9.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.

Publish Date: 2022-11-14

URL: CVE-2022-45199

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-11-14

Fix Resolution: Pillow - 9.3.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Wrapper package for OpenCV python bindings.

Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2019-9423

Vulnerable Library - opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Wrapper package for OpenCV python bindings.

Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda

Dependency Hierarchy:

• ❌ opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

In opencv calls that use libpng, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges required. User interaction is not required for exploitation. Product: AndroidVersions: Android-10Android ID: A-110986616

Publish Date: 2019-09-27

URL: CVE-2019-9423

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-9423

Release Date: 2019-09-27

Fix Resolution: opencv-python - 4.1.2.30,3.4.16.57;opencv-python-headless - 4.1.2.30,3.4.16.57;opencv-contrib-python-headless - 3.4.16.57,4.1.2.30;opencv-contrib-python - 3.4.16.57,4.1.2.30

Step up your Open Source Security Game with Mend here

CVE-2019-14493

Vulnerable Library - opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Wrapper package for OpenCV python bindings.

Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda

Dependency Hierarchy:

• ❌ opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

An issue was discovered in OpenCV before 4.1.1. There is a NULL pointer dereference in the function cv::XMLParser::parse at modules/core/src/persistence.cpp.

Publish Date: 2019-08-01

URL: CVE-2019-14493

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-3448-vrgh-85xr

Release Date: 2019-08-01

Fix Resolution: OpenCV-Python - 3.4.7.28, 4.1.1.26

Step up your Open Source Security Game with Mend here

CVE-2019-14492

Vulnerable Library - opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Wrapper package for OpenCV python bindings.

Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda

Dependency Hierarchy:

• ❌ opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read/write in the function HaarEvaluator::OptFeature::calc in modules/objdetect/src/cascadedetect.hpp, which leads to denial of service.

Publish Date: 2019-08-01

URL: CVE-2019-14492

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-fw99-f933-rgh8

Release Date: 2020-04-17

Fix Resolution: OpenCV-Python - 3.4.7.28, 4.1.1.26

Step up your Open Source Security Game with Mend here

CVE-2019-19624

Vulnerable Library - opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Wrapper package for OpenCV python bindings.

Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda

Dependency Hierarchy:

• ❌ opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

An out-of-bounds read was discovered in OpenCV before 4.1.1. Specifically, variable coarsest_scale is assumed to be greater than or equal to finest_scale within the calc()/ocl_calc() functions in dis_flow.cpp. However, this is not true when dealing with small images, leading to an out-of-bounds read of the heap-allocated arrays Ux and Uy.

Publish Date: 2019-12-06

URL: CVE-2019-19624

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-jggw-2q6g-c3m6

Release Date: 2019-12-17

Fix Resolution: OpenCV-Python - 4.1.0.25

Step up your Open Source Security Game with Mend here

CVE-2019-14491

Vulnerable Library - opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Wrapper package for OpenCV python bindings.

Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda

Dependency Hierarchy:

• ❌ opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read in the function cv::predictOrderedcv::HaarEvaluator in modules/objdetect/src/cascadedetect.hpp, which leads to denial of service.

Publish Date: 2019-08-01

URL: CVE-2019-14491

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-fm39-cw8h-3p63

Release Date: 2019-12-02

Fix Resolution: OpenCV-Python - 3.4.7.28, 4.1.1.26

Step up your Open Source Security Game with Mend here

CVE-2019-15939

Vulnerable Library - opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Wrapper package for OpenCV python bindings.

Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda

Dependency Hierarchy:

• ❌ opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

An issue was discovered in OpenCV 4.1.0. There is a divide-by-zero error in cv::HOGDescriptor::getDescriptorSize in modules/objdetect/src/hog.cpp.

Publish Date: 2019-09-05

URL: CVE-2019-15939

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hxfw-jm98-v4mq

Release Date: 2019-09-05

Fix Resolution: OpenCV-Python - 4.1.1.26

Step up your Open Source Security Game with Mend here

CVE-2019-16249

Vulnerable Library - opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Wrapper package for OpenCV python bindings.

Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt

Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda

Dependency Hierarchy:

• ❌ opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

OpenCV 4.1.1 has an out-of-bounds read in hal_baseline::v_load in core/hal/intrin_sse.hpp when called from computeSSDMeanNorm in modules/video/src/dis_flow.cpp.

Publish Date: 2019-09-11

URL: CVE-2019-16249

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-x3rm-644h-67m8

Release Date: 2019-12-03

Fix Resolution: OpenCV-Python - 4.1.1.26

Step up your Open Source Security Game with Mend here

Vulnerable Library - requests-2.28.2-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/d2/f4/274d1dbe96b41cf4e0efb70cbced278ffd61b5c7bb70338b62af94ccb25b/requests-2.28.2-py3-none-any.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/requirements.txt,/docs/sphinx_requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2023-32681

Vulnerable Library - requests-2.28.2-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/d2/f4/274d1dbe96b41cf4e0efb70cbced278ffd61b5c7bb70338b62af94ccb25b/requests-2.28.2-py3-none-any.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/requirements.txt,/docs/sphinx_requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ requests-2.28.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuild_proxies to reattach the Proxy-Authorization header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

Publish Date: 2023-05-26

URL: CVE-2023-32681

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-j8r2-6x86-q33q

Release Date: 2023-05-26

Fix Resolution: requests -2.31.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2022-41894

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. The reference kernel of the CONV_3D_TRANSPOSE TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result. Instead of data_ptr += num_channels; it should be data_ptr += output_num_channels; as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels. An attacker can craft a model with a specific number of input channels. It is then possible to write specific values through the bias of the layer outside the bounds of the buffer. This attack only works if the reference kernel resolver is used in the interpreter. We have patched the issue in GitHub commit 72c0bdcb25305b0b36842d746cc61d72658d2941. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41894

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41894

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41900

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow 2.10.1.

Publish Date: 2022-11-18

URL: CVE-2022-41900

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41900

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41880

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. When the BaseCandidateSamplerOp function receives a value in true_classes larger than range_max, a heap oob read occurs. We have patched the issue in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41880

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41880

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41895

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. If MirrorPadGrad is given outsize input paddings, TensorFlow will give a heap OOB error. We have patched the issue in GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41895

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41895

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41884

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. We have patched the issue in GitHub commit 2b56169c16e375c521a3bc8ea658811cc0793784. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41884

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41884

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41893

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. If tf.raw_ops.TensorListResize is given a nonscalar value for input size, it results CHECK fail which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41893

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41893

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41898

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. If SparseFillEmptyRowsGrad is given empty inputs, TensorFlow will crash. We have patched the issue in GitHub commit af4a6a3c8b95022c351edae94560acc61253a1b8. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41898

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41898

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41887

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. tf.keras.losses.poisson receives a y_pred and y_true that are passed through functor::mul in BinaryOp. If the resulting dimensions overflow an int32, TensorFlow will crash due to a size mismatch during broadcast assignment. We have patched the issue in GitHub commit c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1 and 2.9.3, as these are also affected and still in supported range. However, we will not cherrypick this commit into TensorFlow 2.8.x, as it depends on Eigen behavior that changed between 2.8 and 2.9.

Publish Date: 2022-11-18

URL: CVE-2022-41887

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41887

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41888

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. When running on GPU, tf.image.generate_bounding_box_proposals receives a scores input that must be of rank 4 but is not checked. We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41888

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41888

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41899

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. Inputs dense_features or example_state_data not of rank 2 will trigger a CHECK fail in SdcaOptimizer. We have patched the issue in GitHub commit 80ff197d03db2a70c6a111f97dcdacad1b0babfa. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41899

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41899

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41896

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. If ThreadUnsafeUnigramCandidateSampler is given input filterbank_channel_count greater than the allowed max size, TensorFlow will crash. We have patched the issue in GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41896

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41896

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41886

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. When tf.raw_ops.ImageProjectiveTransformV2 is given a large output shape, it overflows. We have patched the issue in GitHub commit 8faa6ea692985dbe6ce10e1a3168e0bd60a723ba. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41886

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41886

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41897

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. If FractionMaxPoolGrad is given outsize inputs row_pooling_sequence and col_pooling_sequence, TensorFlow will crash. We have patched the issue in GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41897

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41897

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41889

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a nullptr, which is not caught. An example can be seen in tf.compat.v1.extract_volume_patches by passing in quantized tensors as input ksizes. We have patched the issue in GitHub commit e9e95553e5411834d215e6770c81a83a3d0866ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41889

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41889

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41911

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a const char* array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from char to bool are undefined if the char is not 0 or 1, so sanitizers/fuzzers will crash. The issue has been patched in GitHub commit 1be74370327. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1, TensorFlow 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41911

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41911

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41901

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. An input sparse_matrix that is not a matrix with a shape with rank 0 will trigger a CHECK fail in tf.raw_ops.SparseMatrixNNZ. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41901

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41901

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41907

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. When tf.raw_ops.ResizeNearestNeighborGrad is given a large size input, it overflows. We have patched the issue in GitHub commit 00c821af032ba9e5f5fa3fe14690c8d28a657624. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41907

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41907

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41908

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. An input token that is not a UTF-8 bytestring will trigger a CHECK fail in tf.raw_ops.PyFunc. We have patched the issue in GitHub commit 9f03a9d3bafe902c1e6beb105b2f24172f238645. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41908

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41908

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41909

Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

TensorFlow is an open source platform for machine learning. An input encoded that is not a valid CompositeTensorVariant tensor will trigger a segfault in tf.raw_ops.CompositeTensorVariantToComponents. We have patched the issue in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and 660ce5a89eb6766834bdc303d2ab3902aef99d3d. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41909

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41909

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - table-4.0.3.tgz

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2021-3807

Vulnerable Library - ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Dependency Hierarchy:

• table-4.0.3.tgz (Root Library)
  • string-width-2.1.1.tgz
    • strip-ansi-4.0.0.tgz
      • ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (table): 5.0.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Protocol Buffers

Library home page: https://files.pythonhosted.org/packages/21/9b/258771d72fd2cf27eed3cfea1fc957a12666ccde394b294ac563fca23f2d/protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /module/runx-0.0.5/requirements.txt

Path to vulnerable library: /module/runx-0.0.5/requirements.txt,/module/runx-0.0.5/requirements.txt

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2022-1941

Vulnerable Library - protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Protocol Buffers

Library home page: https://files.pythonhosted.org/packages/21/9b/258771d72fd2cf27eed3cfea1fc957a12666ccde394b294ac563fca23f2d/protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /module/runx-0.0.5/requirements.txt

Path to vulnerable library: /module/runx-0.0.5/requirements.txt,/module/runx-0.0.5/requirements.txt

Dependency Hierarchy:

• ❌ protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Publish Date: 2022-09-22

URL: CVE-2022-1941

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cloud.google.com/support/bulletins#GCP-2022-019

Release Date: 2022-09-22

Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6

Step up your Open Source Security Game with Mend here

Vulnerable Library - PyYAML-5.3.1.tar.gz

YAML parser and emitter for Python

Library home page: https://files.pythonhosted.org/packages/64/c2/b80047c7ac2478f9501676c988a5411ed5572f35d1beff9cae07d321512c/PyYAML-5.3.1.tar.gz

Path to dependency file: /module/requirements.txt

Path to vulnerable library: /module/requirements.txt,/module

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2020-14343

Vulnerable Library - PyYAML-5.3.1.tar.gz

YAML parser and emitter for Python

Library home page: https://files.pythonhosted.org/packages/64/c2/b80047c7ac2478f9501676c988a5411ed5572f35d1beff9cae07d321512c/PyYAML-5.3.1.tar.gz

Path to dependency file: /module/requirements.txt

Path to vulnerable library: /module/requirements.txt,/module

Dependency Hierarchy:

• ❌ PyYAML-5.3.1.tar.gz (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.

Publish Date: 2021-02-09

URL: CVE-2020-14343

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343

Release Date: 2021-02-09

Fix Resolution: PyYAML - 5.4

Step up your Open Source Security Game with Mend here

Vulnerable Library - bleach-3.1.0-py37_0.conda

Easy, whitelist-based HTML-sanitizing tool

Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda

Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2020-6817

Vulnerable Library - bleach-3.1.0-py37_0.conda

Easy, whitelist-based HTML-sanitizing tool

Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda

Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda

Dependency Hierarchy:

• ❌ bleach-3.1.0-py37_0.conda (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

A regular expression denial-of-service (ReDoS) found in Bleach before 3.1.4.

Publish Date: 2020-04-01

URL: CVE-2020-6817

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-04-01

Fix Resolution: bleach - 3.1.4

Step up your Open Source Security Game with Mend here

CVE-2020-6816

Vulnerable Library - bleach-3.1.0-py37_0.conda

Easy, whitelist-based HTML-sanitizing tool

Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda

Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda

Dependency Hierarchy:

• ❌ bleach-3.1.0-py37_0.conda (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.

Publish Date: 2020-03-24

URL: CVE-2020-6816

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-m6xf-fq7q-8743

Release Date: 2020-03-24

Fix Resolution: bleach - 3.1.2

Step up your Open Source Security Game with Mend here

CVE-2020-6802

Vulnerable Library - bleach-3.1.0-py37_0.conda

Easy, whitelist-based HTML-sanitizing tool

Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda

Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda

Dependency Hierarchy:

• ❌ bleach-3.1.0-py37_0.conda (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.

Publish Date: 2020-03-24

URL: CVE-2020-6802

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q65m-pv3f-wr5r

Release Date: 2020-03-24

Fix Resolution: 3.1.1

Step up your Open Source Security Game with Mend here

WS-2021-0011

Vulnerable Library - bleach-3.1.0-py37_0.conda

Easy, whitelist-based HTML-sanitizing tool

Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda

Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda

Dependency Hierarchy:

• ❌ bleach-3.1.0-py37_0.conda (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

In Mozilla Bleach before 3.3.0, a mutation XSS in bleach.clean when p, br, style, title, noscript, script, textarea, noframes, iframe, or xmp and either svg or math tags are whitelisted and the keyword argument strip_comments=False.

Publish Date: 2021-02-01

URL: WS-2021-0011

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-vv2x-vrpj-qqpq

Release Date: 2021-02-01

Fix Resolution: bleach - 3.3.0

Step up your Open Source Security Game with Mend here

CVE-2021-23980

Vulnerable Library - bleach-3.1.0-py37_0.conda

Easy, whitelist-based HTML-sanitizing tool

Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda

Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda

Dependency Hierarchy:

• ❌ bleach-3.1.0-py37_0.conda (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

A flaw was found in bleach before 3.3.0. A mutation XSS affects users calling "bleach.clean". This was fixed in commit 1334134

Publish Date: 2021-01-14

URL: CVE-2021-23980

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/PYSEC-2021-865

Release Date: 2021-01-14

Fix Resolution: bleach - 3.3.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - streamlit-0.72.0-py2.py3-none-any.whl

The fastest way to build data apps in Python

Library home page: https://files.pythonhosted.org/packages/a3/3b/8b70128553de980a5120b512c8eedc3667deced9554fc399703414b1d8cf/streamlit-0.72.0-py2.py3-none-any.whl

Path to dependency file: /module/requirements.txt

Path to vulnerable library: /module/requirements.txt,/module

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2022-35918

Vulnerable Library - streamlit-0.72.0-py2.py3-none-any.whl

The fastest way to build data apps in Python

Library home page: https://files.pythonhosted.org/packages/a3/3b/8b70128553de980a5120b512c8eedc3667deced9554fc399703414b1d8cf/streamlit-0.72.0-py2.py3-none-any.whl

Path to dependency file: /module/requirements.txt

Path to vulnerable library: /module/requirements.txt,/module

Dependency Hierarchy:

• ❌ streamlit-0.72.0-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

Streamlit is a data oriented application development framework for python. Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information. An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file. This issue has been resolved in version 1.11.1. Users are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2022-08-01

URL: CVE-2022-35918

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35918

Release Date: 2022-08-01

Fix Resolution: streamlit - 1.11.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - libxml2-2.9.9-he19cac6_0.conda

The XML C parser and toolkit of Gnome

Library home page: http://repo.continuum.io/pkgs/main/linux-64/libxml2-2.9.9-he19cac6_0.conda

Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/home/wss-scanner/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/r/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/r/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2022-29824

Vulnerable Library - libxml2-2.9.9-he19cac6_0.conda

The XML C parser and toolkit of Gnome

Library home page: http://repo.continuum.io/pkgs/main/linux-64/libxml2-2.9.9-he19cac6_0.conda

Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml

Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/home/wss-scanner/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/r/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/r/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda

Dependency Hierarchy:

• ❌ libxml2-2.9.9-he19cac6_0.conda (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.

Publish Date: 2022-05-03

URL: CVE-2022-29824

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29824

Release Date: 2022-05-03

Fix Resolution: v2.9.14

Step up your Open Source Security Game with Mend here

Vulnerable Library - glslify-6.3.0.tgz

Path to dependency file: /module/canvas-sketch-cli-1.11.20/package.json

Path to vulnerable library: /module/canvas-sketch-cli-1.11.20/node_modules/falafel/node_modules/acorn/package.json

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

WS-2020-0042

Vulnerable Library - acorn-5.7.4.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.4.tgz

Path to dependency file: /module/canvas-sketch-cli-1.11.20/package.json

Path to vulnerable library: /module/canvas-sketch-cli-1.11.20/node_modules/falafel/node_modules/acorn/package.json

Dependency Hierarchy:

• glslify-6.3.0.tgz (Root Library)
  • falafel-2.1.0.tgz
    • ❌ acorn-5.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-01

Fix Resolution (acorn): 6.4.1

Direct dependency fix Resolution (glslify): 6.3.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - starlette-0.13.2-py3-none-any.whl

The little ASGI library that shines.

Library home page: https://files.pythonhosted.org/packages/37/2e/f56602beda25b376bbaaeadb626cf212b673457075ffed0dd12969ad6014/starlette-0.13.2-py3-none-any.whl

Path to dependency file: /module/sprites-as-a-service-0.5.0/backend/requirements.txt

Path to vulnerable library: /module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/runx-0.0.5

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

WS-2020-0300

Vulnerable Library - starlette-0.13.2-py3-none-any.whl

The little ASGI library that shines.

Library home page: https://files.pythonhosted.org/packages/37/2e/f56602beda25b376bbaaeadb626cf212b673457075ffed0dd12969ad6014/starlette-0.13.2-py3-none-any.whl

Path to dependency file: /module/sprites-as-a-service-0.5.0/backend/requirements.txt

Path to vulnerable library: /module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/runx-0.0.5

Dependency Hierarchy:

• ❌ starlette-0.13.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

Path Traversal vulnerability was found in starlette before 0.13.5. The vulnerability allows a remote attacker to perform directory traversal attacks. The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Publish Date: 2020-06-23

URL: WS-2020-0300

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-06-23

Fix Resolution: starlette - 0.13.5

Step up your Open Source Security Game with Mend here

Vulnerable Library - urllib3-1.25.11-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/56/aa/4ef5aa67a9a62505db124a5cb5262332d1d4153462eb8fd89c9fa41e5d92/urllib3-1.25.11-py2.py3-none-any.whl

Path to dependency file: /module/runx-0.0.5

Path to vulnerable library: /module/runx-0.0.5,/module/requirements.txt,/module

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2021-33503

Vulnerable Library - urllib3-1.25.11-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/56/aa/4ef5aa67a9a62505db124a5cb5262332d1d4153462eb8fd89c9fa41e5d92/urllib3-1.25.11-py2.py3-none-any.whl

Path to dependency file: /module/runx-0.0.5

Path to vulnerable library: /module/runx-0.0.5,/module/requirements.txt,/module

Dependency Hierarchy:

• ❌ urllib3-1.25.11-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution: urllib3 - 1.26.5

Step up your Open Source Security Game with Mend here

Vulnerable Library - image-data-uri-2.0.1.tgz

Path to dependency file: /module/nft-art-generator-main/package.json

Path to vulnerable library: /module/nft-art-generator-main/node_modules/cliss/node_modules/yargs-parser/package.json

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2020-7608

Vulnerable Library - yargs-parser-7.0.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-7.0.0.tgz

Path to dependency file: /module/nft-art-generator-main/package.json

Path to vulnerable library: /module/nft-art-generator-main/node_modules/cliss/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• image-data-uri-2.0.1.tgz (Root Library)
  • magicli-0.0.8.tgz
    • cliss-0.0.2.tgz
      • ❌ yargs-parser-7.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - urllib3-1.26.15-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/7b/f5/890a0baca17a61c1f92f72b81d3c31523c99bec609e60c292ea55b387ae8/urllib3-1.26.15-py2.py3-none-any.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face,/docs/sphinx_requirements.txt

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2023-43804

Vulnerable Library - urllib3-1.26.15-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/7b/f5/890a0baca17a61c1f92f72b81d3c31523c99bec609e60c292ea55b387ae8/urllib3-1.26.15-py2.py3-none-any.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face,/docs/sphinx_requirements.txt

Dependency Hierarchy:

• ❌ urllib3-1.26.15-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Publish Date: 2023-10-04

URL: CVE-2023-43804

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804

Release Date: 2023-10-04

Fix Resolution: 1.26.17

Step up your Open Source Security Game with Mend here

CVE-2023-45803

Vulnerable Library - urllib3-1.26.15-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/7b/f5/890a0baca17a61c1f92f72b81d3c31523c99bec609e60c292ea55b387ae8/urllib3-1.26.15-py2.py3-none-any.whl

Path to dependency file: /docs/sphinx_requirements.txt

Path to vulnerable library: /docs/sphinx_requirements.txt,/requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face,/docs/sphinx_requirements.txt

Dependency Hierarchy:

• ❌ urllib3-1.26.15-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST) to GET as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False and disable automatic redirects with redirects=False and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.

Publish Date: 2023-10-17

URL: CVE-2023-45803

CVSS 3 Score Details (4.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-g4mx-q9vg-27p4

Release Date: 2023-10-17

Fix Resolution: 1.26.18

Step up your Open Source Security Game with Mend here

Vulnerable Library - async-1.5.2.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2021-43138

Vulnerable Library - async-1.5.2.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz

Dependency Hierarchy:

• ❌ async-1.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution: 2.6.4

Step up your Open Source Security Game with Mend here

Vulnerable Library - numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/a5/42/560d269f604d3e186a57c21a363e77e199358d054884e61b73e405dd217c/numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /module/generator-main/requirements.txt

Path to vulnerable library: /module/generator-main/requirements.txt,/tmp/ws-scm/face,/module/generator-main/requirements.txt

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2021-33430

Vulnerable Library - numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/a5/42/560d269f604d3e186a57c21a363e77e199358d054884e61b73e405dd217c/numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /module/generator-main/requirements.txt

Path to vulnerable library: /module/generator-main/requirements.txt,/tmp/ws-scm/face,/module/generator-main/requirements.txt

Dependency Hierarchy:

• ❌ numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

** DISPUTED ** A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service. NOTE: The vendor does not agree this is a vulneraility; In (very limited) circumstances a user may be able provoke the buffer overflow, the user is most likely already privileged to at least provoke denial of service by exhausting memory. Triggering this further requires the use of uncommon API (complicated structured dtypes), which is very unlikely to be available to an unprivileged user.
Mend Note: After conducting further research, Mend has determined that numpy versions before 1.21.0 are vulnerable to CVE-2021-33430

Publish Date: 2021-12-17

URL: CVE-2021-33430

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-33430

Release Date: 2021-12-17

Fix Resolution: numpy - 1.21.0

Step up your Open Source Security Game with Mend here

CVE-2021-34141

Vulnerable Library - numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/a5/42/560d269f604d3e186a57c21a363e77e199358d054884e61b73e405dd217c/numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /module/generator-main/requirements.txt

Path to vulnerable library: /module/generator-main/requirements.txt,/tmp/ws-scm/face,/module/generator-main/requirements.txt

Dependency Hierarchy:

• ❌ numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141

Publish Date: 2021-12-17

URL: CVE-2021-34141

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141

Release Date: 2021-12-17

Fix Resolution: numpy - 1.22.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - Werkzeug-2.2.3-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/f6/f8/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f/Werkzeug-2.2.3-py3-none-any.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2023-46136

Vulnerable Library - Werkzeug-2.2.3-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/f6/f8/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f/Werkzeug-2.2.3-py3-none-any.whl

Path to dependency file: /PRNet-master/requirements.txt

Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ Werkzeug-2.2.3-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.

Publish Date: 2023-10-25

URL: CVE-2023-46136

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hrfv-mqp8-q5rw

Release Date: 2023-10-25

Fix Resolution: 3.0.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/2c/a2/2d565cb1d754384a88998b9c86daf803a3a7908577875231eb99b8c7973d/Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2023-44271

Vulnerable Library - Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/2c/a2/2d565cb1d754384a88998b9c86daf803a3a7908577875231eb99b8c7973d/Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face

Dependency Hierarchy:

• ❌ Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.

Publish Date: 2023-11-03

URL: CVE-2023-44271

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-03

Fix Resolution: Pillow - 10.0.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - Jinja2-2.8-py2.py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl

Path to dependency file: /module/requirements.txt

Path to vulnerable library: /module/requirements.txt,/module

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2019-10906

Vulnerable Library - Jinja2-2.8-py2.py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl

Path to dependency file: /module/requirements.txt

Path to vulnerable library: /module/requirements.txt,/module

Dependency Hierarchy:

• ❌ Jinja2-2.8-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

Publish Date: 2019-04-07

URL: CVE-2019-10906

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10906

Release Date: 2020-08-24

Fix Resolution: 2.10.1

Step up your Open Source Security Game with Mend here

CVE-2016-10745

Vulnerable Library - Jinja2-2.8-py2.py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl

Path to dependency file: /module/requirements.txt

Path to vulnerable library: /module/requirements.txt,/module

Dependency Hierarchy:

• ❌ Jinja2-2.8-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.

Publish Date: 2019-04-08

URL: CVE-2016-10745

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10745

Release Date: 2019-04-08

Fix Resolution: 2.8.1

Step up your Open Source Security Game with Mend here

CVE-2020-28493

Vulnerable Library - Jinja2-2.8-py2.py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl

Path to dependency file: /module/requirements.txt

Path to vulnerable library: /module/requirements.txt,/module

Dependency Hierarchy:

• ❌ Jinja2-2.8-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the _punctuation_re regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

Publish Date: 2021-02-01

URL: CVE-2020-28493

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28493

Release Date: 2021-02-01

Fix Resolution: Jinja2 - 2.11.3

Step up your Open Source Security Game with Mend here

Vulnerable Library - py-1.11.0-py2.py3-none-any.whl

library with cross-python path, ini-parsing, io, code, log facilities

Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl

Path to dependency file: /module/_tests_requirements.txt

Path to vulnerable library: /module/_tests_requirements.txt,/module/wombopy-main/requirements.txt,/module,/module/requirements.txt

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2022-42969

Vulnerable Library - py-1.11.0-py2.py3-none-any.whl

library with cross-python path, ini-parsing, io, code, log facilities

Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl

Path to dependency file: /module/_tests_requirements.txt

Path to vulnerable library: /module/_tests_requirements.txt,/module/wombopy-main/requirements.txt,/module,/module/requirements.txt

Dependency Hierarchy:

• ❌ py-1.11.0-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

Publish Date: 2022-10-16

URL: CVE-2022-42969

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-42969

Release Date: 2022-10-16

Fix Resolution: py - 1.5.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - websockets-8.1-cp37-cp37m-manylinux2010_x86_64.whl

An implementation of the WebSocket Protocol (RFC 6455 & 7692)

Library home page: https://files.pythonhosted.org/packages/5a/0b/3ebc752392a368af14dd24ee041683416ac6d2463eead94b311b11e41c82/websockets-8.1-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /module/runx-0.0.5

Path to vulnerable library: /module/runx-0.0.5

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

CVE-2021-33880

Vulnerable Library - websockets-8.1-cp37-cp37m-manylinux2010_x86_64.whl

An implementation of the WebSocket Protocol (RFC 6455 & 7692)

Library home page: https://files.pythonhosted.org/packages/5a/0b/3ebc752392a368af14dd24ee041683416ac6d2463eead94b311b11e41c82/websockets-8.1-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /module/runx-0.0.5

Path to vulnerable library: /module/runx-0.0.5

Dependency Hierarchy:

• ❌ websockets-8.1-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8

Found in base branch: master

Vulnerability Details

The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.

Publish Date: 2021-06-06

URL: CVE-2021-33880

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33880

Release Date: 2021-06-06