huggingface-space's People
huggingface-space's Issues
pyarrow-10.0.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl: 1 vulnerabilities (highest severity is: 9.8)
Vulnerable Library - pyarrow-10.0.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Python library for Apache Arrow
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (pyarrow version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-47248 | Critical | 9.8 | pyarrow-10.0.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 14.0.1 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-47248
Vulnerable Library - pyarrow-10.0.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Python library for Apache Arrow
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ pyarrow-10.0.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).
This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.
It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.
If it is not possible to upgrade, we provide a separate package pyarrow-hotfix
that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.
Publish Date: 2023-11-09
URL: CVE-2023-47248
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n
Release Date: 2023-11-09
Fix Resolution: 14.0.1
Step up your Open Source Security Game with Mend here
Dependency Dashboard
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
Rate-Limited
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
- Update Contrast-Security-OSS/contrastscan-action digest to 78b7f17
- Update ForAllSecure/mapi-action digest to a6dc077
- Update NeuraLegion/run-scan digest to e8a3577
- Update SonarSource/sonarcloud-github-action digest to 44eed60
- Update autofix-ci/action digest to ea32e3a
- Update codacy/codacy-analysis-cli-action digest to 9c7e404
- Update codescan-io/codescan-scanner-action digest to 34bb123
- Update david-a-wheeler/flawfinder digest to 56ffb9f
- Update docker/login-action digest to e92390c
- Update facebook/pysa-action digest to 15c7aea
- Update microsoft/msvc-code-analysis-action digest to 9631532
- Update nuget/setup-nuget digest to 719621b
- Update pypa/gh-action-pypi-publish digest to 81e9d93
- Update security-code-scan/security-code-scan-add-action digest to 2439fb4
- Update security-code-scan/security-code-scan-results-action digest to 5790582
- Update sigstore/cosign-installer digest to c85d0e2
- Update snyk/actions digest to 8349f90
- Update actions/checkout action to v3.6.0
- Update actions/setup-python action to v4.8.0
- Update dciborow/action-pylint action to v0.1.1
- Update microsoft/action-python action to v0.7.2
- Update microsoft/setup-msbuild action to v1.3.3
- Update py-actions/py-dependency-install action to v4.1.0
- Update snyk/actions action to v0.4.0
- Update actions/cache action to v4
- Update actions/checkout action to v4
- Update actions/dependency-review-action action to v4
- Update actions/setup-go action to v5
- Update actions/setup-python action to v5
- Update dependency ubuntu to v22
- Update github/codeql-action action to v3
- Update github/super-linter action to v5
- Update jakebailey/pyright-action action to v2
- Update microsoft/setup-msbuild action to v2
- Update palewire/install-python-pipenv-pipfile action to v3
- Update sigstore/cosign-installer action to v3
- ๐ Create all rate-limited PRs at once ๐
Open
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
- Update tj-actions/changed-files action to v36 [SECURITY]
- Update docker/build-push-action digest to 2cdde99
- Update docker/metadata-action digest to 7535934
- Update docker/setup-buildx-action digest to 2b51285
- Update install-pinned/autoflake digest to eefdf26
- Update install-pinned/black digest to 5c54e21
- Update install-pinned/pyupgrade digest to db06e93
- Update install-pinned/reorder_python_imports digest to 4919b53
- Update shivammathur/setup-php digest to 48e0de2
- Update soos-io/soos-dast-github-action digest to a7f2cb2
- Update jakebailey/pyright-action action to v1.8.1
- Click on this checkbox to rebase all open PRs at once
Detected dependencies
circleci
.circleci/config.yml
github-actions
.github/workflows/auto-pipreqs.yml
timmypidashev/auto-pipreqs v3.1.0
.github/workflows/autofix.yml
actions/checkout v3
autofix-ci/action 8bc06253bec489732e5f9c52884c7cace15c0160
actions/checkout v3
install-pinned/pyupgrade 423622e7c2088eeba495a591385ec22074284f90
install-pinned/reorder_python_imports 515035fd9eb355713f61dee238b17a04ce01f4d2
install-pinned/autoflake 1a248450153f02b75d051acf6c2a05df8c797666
install-pinned/black 9101a4d68e870eaaaae21c412d1d879b93c9afcb
autofix-ci/action 8bc06253bec489732e5f9c52884c7cace15c0160
actions/checkout v3
autofix-ci/action 8bc06253bec489732e5f9c52884c7cace15c0160
.github/workflows/checkout.yml
actions/checkout v3.3.0
actions/checkout v3
.github/workflows/codacy.yml
actions/checkout v3
codacy/codacy-analysis-cli-action cfff30e3217c728b97114255e6236e4d3c72c98c
github/codeql-action v2
.github/workflows/codeql.yml
actions/checkout v3
github/codeql-action v2
github/codeql-action v2
github/codeql-action v2
.github/workflows/codescan.yml
actions/checkout v3
actions/cache v3
codescan-io/codescan-scanner-action 701450bd7630d7fe7f0551fc5679e8f1db87dbd4
github/codeql-action v2
.github/workflows/contrast-scan.yml
actions/checkout v3
Contrast-Security-OSS/contrastscan-action 7c525114dfe622648f6227374937d4e0531558fd
github/codeql-action v2
.github/workflows/datree-validation.yml
actions/checkout v3
tj-actions/changed-files v35
.github/workflows/dependency-review.yml
actions/checkout v3
actions/dependency-review-action v3
.github/workflows/django.yml
actions/checkout v3
actions/setup-python v4
.github/workflows/docker-image.yml
actions/checkout v3
.github/workflows/docker-publish.yml
actions/checkout v3
sigstore/cosign-installer v2.8.1@9becc617647dfa20ae7b1151972e9b3a2c338a2b
docker/setup-buildx-action 165fe681b849eec43aaa64d786b9ec53e690475f
docker/login-action 3da7dc6e2b31f99ef2cb9fb4c50fb0971e0d0139
docker/metadata-action 507c2f2dc502c992ad446e3d7a5dfbe311567a96
docker/build-push-action 37abcedcc1da61a57767b7588cb9d03eb57e28b3
.github/workflows/flawfinder.yml
actions/checkout v3
david-a-wheeler/flawfinder 614801f704906a94ae420a5023c37008e22d7b95
github/codeql-action v2
.github/workflows/g-snyk.yml
turtlebrowser/get-snyk v1.0
.github/workflows/install-python-pipenv-pipfile.yml
palewire/install-python-pipenv-pipfile v2
actions/checkout v3
palewire/install-python-pipenv-pipfile v2
actions/setup-python v4
actions/cache v3
.github/workflows/mayhem-for-api.yml
actions/checkout v3
ForAllSecure/mapi-action 17f120e2ff4e083681085b3d9b08708aea895e2c
github/codeql-action v2
.github/workflows/microsoft-action-python.yml
microsoft/action-python 0.2.0
dciborow/pyaction 0.0.30
dciborow/pyaction 0.0.30
dciborow/pyaction 0.0.30
dciborow/pyaction 0.0.30
dciborow/pyaction 0.0.30
dciborow/pyaction 0.0.30
rickstaa/action-black v1
reviewdog/action-suggester v1
dciborow/action-bandit 0.0.2
reviewdog/action-flake8 v3
dciborow/action-pylint 0.0.7
jakebailey/pyright-action v1.4.1
actions/setup-python v4
.github/workflows/msvc.yml
actions/checkout v3
microsoft/msvc-code-analysis-action 24c285ab36952c9e9182f4b78dfafbac38a7e5ee
github/codeql-action v2
.github/workflows/neuralegion.yml
actions/checkout v3
NeuraLegion/run-scan 0069b47c4e4b6a2b0ac014a9db0e926fda21d3b1
ubuntu 18.04
.github/workflows/ossar.yml
actions/checkout v3
github/ossar-action v1
github/codeql-action v2
.github/workflows/py-dependency-install.yml
py-actions/py-dependency-install v4.0.0
vednig/pyinstaller-action-windows v0.1.5
actions/setup-python v4.5.0
py-actions/py-dependency-install v4
py-actions/py-dependency-install v4
py-actions/py-dependency-install v4
py-actions/py-dependency-install v4
.github/workflows/pylint.yml
actions/checkout v3
actions/setup-python v4
.github/workflows/pyre.yml
actions/checkout v3
facebook/pyre-action 6dc86fc8f40e0f15cdd8a59d9f93294cf72a0863
.github/workflows/pysa.yml
actions/checkout v3
facebook/pysa-action f46a63777e59268613bd6e2ff4e29f144ca9e88b
.github/workflows/python-app.yml
actions/checkout v3
actions/setup-python v4
.github/workflows/python-package-conda.yml
actions/checkout v3
actions/setup-python v4
.github/workflows/python-package.yml
actions/checkout v3
actions/setup-python v4
.github/workflows/python-publish.yml
actions/checkout v3
actions/setup-python v4
pypa/gh-action-pypi-publish 7eb3b701d11256e583f5b49899c5e7203deab573
.github/workflows/securitycodescan.yml
actions/checkout v3
nuget/setup-nuget 4cc6b0f837d65c0bd18565538a1d8a0d3dcfa60a
microsoft/setup-msbuild v1.1.3
security-code-scan/security-code-scan-add-action 95291dec3220baeb23648cf09e55e87dcda0d43b
security-code-scan/security-code-scan-results-action 873fde2b46c10b7b3da204145d22377caad73420
github/codeql-action v2
.github/workflows/setup-python.yml
actions/setup-python v4.5.0
.github/workflows/snyk-container.yml
actions/checkout v3
snyk/actions e25b2e6f5658d1bb7a6671b113260f13134cc3af
github/codeql-action v2
.github/workflows/snyk-infrastructure.yml
actions/checkout v3
snyk/actions e25b2e6f5658d1bb7a6671b113260f13134cc3af
github/codeql-action v2
.github/workflows/snyk.yml
snyk/actions 0.3.0
actions/setup-go v3
.github/workflows/sonarcloud.yml
SonarSource/sonarcloud-github-action cb201f3b2d7a38231a8c042dfea4539c8bea180b
.github/workflows/soos-dast-scan.yml
soos-io/soos-dast-github-action 3e71b27756f4ed77d7ad3c0ad92afddb47a40e4d
github/codeql-action v2
.github/workflows/stackaid-dependency-generator.yml
stackaid/generate-stackaid-json v1.9
actions/checkout v3
actions/setup-go v3
stackaid/generate-stackaid-json v1.9
.github/workflows/super-linter.yml
actions/checkout v3
github/super-linter v4
.github/workflows/supersnyk.yml
mishabruml/supersnyk v1.1.3
.github/workflows/symfony.yml
shivammathur/setup-php 2b77dd6b79c3203adc3e3809cde9687bf5834238
actions/checkout v3
actions/cache v3
.github/workflows/update-yaml.yaml
actions/setup-python v4
.github/workflows/yamale-docker-action.yml
eXpire163/yamale-docker-action v3.2
actions/checkout v3
pip_requirements
requirements.txt
- Check this box to trigger a request for Renovate to run again on this repository
protobuf-3.20.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - protobuf-3.20.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl
Protocol Buffers
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (protobuf version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-1941 | High | 7.5 | protobuf-3.20.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl | Direct | Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6 | โ |
Details
CVE-2022-1941
Vulnerable Library - protobuf-3.20.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl
Protocol Buffers
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ protobuf-3.20.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: 2022-09-22
URL: CVE-2022-1941
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cloud.google.com/support/bulletins#GCP-2022-019
Release Date: 2022-09-22
Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6
Step up your Open Source Security Game with Mend here
protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl
Protocol Buffers
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (protobuf version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-1941 | High | 7.5 | protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl | Direct | Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6 | โ |
Details
CVE-2022-1941
Vulnerable Library - protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl
Protocol Buffers
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: 2022-09-22
URL: CVE-2022-1941
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cloud.google.com/support/bulletins#GCP-2022-019
Release Date: 2022-09-22
Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6
Step up your Open Source Security Game with Mend here
Flask-2.2.2-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - Flask-2.2.2-py3-none-any.whl
A simple framework for building complex web applications.
Library home page: https://files.pythonhosted.org/packages/0f/43/15f4f9ab225b0b25352412e8daa3d0e3d135fcf5e127070c74c3632c8b4c/Flask-2.2.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (Flask version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-30861 | High | 7.5 | Flask-2.2.2-py3-none-any.whl | Direct | 2.2.5 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-30861
Vulnerable Library - Flask-2.2.2-py3-none-any.whl
A simple framework for building complex web applications.
Library home page: https://files.pythonhosted.org/packages/0f/43/15f4f9ab225b0b25352412e8daa3d0e3d135fcf5e127070c74c3632c8b4c/Flask-2.2.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ Flask-2.2.2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie
headers, it may send one client's session
cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.
- The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
- The application sets
session.permanent = True
- The application does not access or modify the session at any point during a request.
SESSION_REFRESH_EACH_REQUEST
enabled (the default).- The application does not set a
Cache-Control
header to indicate that a page is private or should not be cached.
This happens because vulnerable versions of Flask only set the Vary: Cookie
header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.
Publish Date: 2023-05-02
URL: CVE-2023-30861
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-30861
Release Date: 2023-05-02
Fix Resolution: 2.2.5
Step up your Open Source Security Game with Mend here
torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl: 1 vulnerabilities (highest severity is: 9.8)
Vulnerable Library - torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/7a/fb/b1b11ae95ffa7099ca2e60ed5945e56130cc8740208f42aa77f17e03ab3c/torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (torch version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2022-45907 | Critical | 9.8 | torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl | Direct | torch - 1.13.1 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-45907
Vulnerable Library - torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/7a/fb/b1b11ae95ffa7099ca2e60ed5945e56130cc8740208f42aa77f17e03ab3c/torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.
Publish Date: 2022-11-26
URL: CVE-2022-45907
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-45907
Release Date: 2022-11-26
Fix Resolution: torch - 1.13.1
Step up your Open Source Security Game with Mend here
Kebechet Pipfile Requirements Manager: no Pipfile found in repo
Kebechet pipfile_requirements manager is installed but no
Pipfile
was found in this repository.
`Pipfile` is required by the pipfile_requirements manager in its
current configuration (as specified in `.thoth.yaml`).
Either remove this manager from `.thoth.yaml`, adjust its configuration,
or update the repository to meet the requirements.
Reference: see the documentation for
[pipfile_requirements](https://thoth-station.ninja/docs/developers/kebechet/managers/pipfile_requirements.html).
tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl: 43 vulnerabilities (highest severity is: 9.8)
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (tensorflow version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-25668 | Critical | 9.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 2.11.1 | โ |
CVE-2023-25664 | Critical | 9.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 2.11.1 | โ |
CVE-2022-41900 | Critical | 9.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1 | โ |
CVE-2022-41910 | Critical | 9.1 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1 | โ |
CVE-2022-41902 | Critical | 9.1 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | โ |
CVE-2022-41880 | Critical | 9.1 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | โ |
CVE-2022-41894 | High | 8.1 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | โ |
WS-2022-0401 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 2.10.1 | โ |
CVE-2023-25676 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | โ |
CVE-2023-25675 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | โ |
CVE-2023-25674 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | โ |
CVE-2023-25673 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | โ |
CVE-2023-25672 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | โ |
CVE-2023-25671 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 2.11.1 | โ |
CVE-2023-25670 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | โ |
CVE-2023-25669 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | โ |
CVE-2023-25667 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | โ |
CVE-2023-25665 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 2.11.1 | โ |
CVE-2023-25663 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | โ |
CVE-2023-25662 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | โ |
CVE-2023-25660 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | โ |
CVE-2023-25659 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | โ |
CVE-2023-25658 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | โ |
CVE-2022-41911 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 2.10.1 | โ |
CVE-2022-41909 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | โ |
CVE-2022-41908 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4,2.9.3,2.10.1,2.11.0;tensorflow-cpu - 2.8.4,2.9.3,2.10.1,2.11.0;tensorflow-gpu - 2.8.4,2.9.3,2.10.1,2.11.0 | โ |
CVE-2022-41907 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | GHSA-368v-7v32-52fx | โ |
CVE-2022-41901 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1 | โ |
CVE-2022-41899 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | GHSA-27rc-728f-x5w2 | โ |
CVE-2022-41898 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1 | โ |
CVE-2022-41897 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | GHSA-f2w8-jw48-fr7j | โ |
CVE-2022-41896 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | GHSA-rmg2-f698-wq35 | โ |
CVE-2022-41895 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1 | โ |
CVE-2022-41893 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1 | โ |
CVE-2022-41891 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | GHSA-66vq-54fq-6jvv | โ |
CVE-2022-41890 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | โ |
CVE-2022-41889 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | โ |
CVE-2022-41888 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | โ |
CVE-2022-41887 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 2.10.1 | โ |
CVE-2022-41886 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | โ |
CVE-2022-41884 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | โ |
CVE-2022-41883 | High | 7.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 2.10.1 | โ |
CVE-2023-25661 | Medium | 6.5 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 2.11.1 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (17 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2023-25668
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
TensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25668
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-gw97-ff7c-9v96
Release Date: 2023-03-25
Fix Resolution: 2.11.1
Step up your Open Source Security Game with Mend here
CVE-2023-25664
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a heap buffer overflow in TAvgPoolGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25664
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6hg6-5c2q-7rcr
Release Date: 2023-03-25
Fix Resolution: 2.11.1
Step up your Open Source Security Game with Mend here
CVE-2022-41900
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow 2.10.1.
Publish Date: 2022-11-18
URL: CVE-2022-41900
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvwp-h6jv-7472
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
Step up your Open Source Security Game with Mend here
CVE-2022-41910
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
TensorFlow is an open source platform for machine learning. The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. We have patched the issue in GitHub commit a65411a1d69edfb16b25907ffb8f73556ce36bb7. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.8.4, 2.9.3, and 2.10.1.
Publish Date: 2022-12-06
URL: CVE-2022-41910
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-frqp-wp83-qggv
Release Date: 2022-09-30
Fix Resolution: tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
Step up your Open Source Security Game with Mend here
CVE-2022-41902
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
TensorFlow is an open source platform for machine learning. The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. We have patched the issue in GitHub commit a65411a1d69edfb16b25907ffb8f73556ce36bb7. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.8.4, 2.9.3, and 2.10.1.
Publish Date: 2022-12-06
URL: CVE-2022-41902
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-cg88-rpvp-cjv5
Release Date: 2022-09-30
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41880
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
TensorFlow is an open source platform for machine learning. When the BaseCandidateSamplerOp
function receives a value in true_classes
larger than range_max
, a heap oob read occurs. We have patched the issue in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41880
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41880
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41894
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
TensorFlow is an open source platform for machine learning. The reference kernel of the CONV_3D_TRANSPOSE
TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result. Instead of data_ptr += num_channels;
it should be data_ptr += output_num_channels;
as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels. An attacker can craft a model with a specific number of input channels. It is then possible to write specific values through the bias of the layer outside the bounds of the buffer. This attack only works if the reference kernel resolver is used in the interpreter. We have patched the issue in GitHub commit 72c0bdcb25305b0b36842d746cc61d72658d2941. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41894
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41894
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
WS-2022-0401
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Another instance of CVE-2022-35991, where TensorListScatter and TensorListScatterV2 crash via non scalar inputs inelement_shape, was found in eager mode and fixed.
Publish Date: 2022-11-22
URL: WS-2022-0401
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-xf83-q765-xm6m
Release Date: 2022-11-22
Fix Resolution: 2.10.1
Step up your Open Source Security Game with Mend here
CVE-2023-25676
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, tf.raw_ops.ParallelConcat
segfaults with a nullptr dereference when given a parameter shape
with rank that is not greater than zero. A fix is available in TensorFlow 2.12.0 and 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25676
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6wfh-89q8-44jq
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
CVE-2023-25675
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, tf.raw_ops.Bincount
segfaults when given a parameter weights
that is neither the same shape as parameter arr
nor a length-0 tensor. A fix is included in TensorFlow 2.12.0 and 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25675
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-7x4v-9gxg-9hwj
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
CVE-2023-25674
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
TensorFlow is an open source machine learning platform. Versions prior to 2.12.0 and 2.11.1 have a null pointer error in RandomShuffle with XLA enabled. A fix is included in TensorFlow 2.12.0 and 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25674
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-gf97-q72m-7579
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
CVE-2023-25673
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a Floating Point Exception in TensorListSplit with XLA. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25673
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-647v-r7qq-24fh
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
CVE-2023-25672
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
TensorFlow is an open source platform for machine learning. The function tf.raw_ops.LookupTableImportV2
cannot handle scalars in the values
parameter and gives an NPE. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25672
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-94mm-g2mv-8p7r
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
CVE-2023-25671
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
TensorFlow is an open source platform for machine learning. There is out-of-bounds access due to mismatched integer type sizes. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25671
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-25671
Release Date: 2023-03-25
Fix Resolution: 2.11.1
Step up your Open Source Security Game with Mend here
CVE-2023-25670
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a null point error in QuantizedMatMulWithBiasAndDequantize with MKL enabled. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25670
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-49rq-hwc3-x77w
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
CVE-2023-25669
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the stride and window size are not positive for tf.raw_ops.AvgPoolGrad
, it can give a floating point exception. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25669
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-rcf8-g8jv-vg6p
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
CVE-2023-25667
Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, integer overflow occurs when 2^31 <= num_frames * height * width * channels < 2^32
, for example Full HD screencast of at least 346 frames. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25667
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-fqm2-gh8w-gr68
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl: 1 vulnerabilities (highest severity is: 5.3)
Vulnerable Library - numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
NumPy is the fundamental package for array computing with Python.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (numpy version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-34141 | Medium | 5.3 | numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Direct | numpy - 1.22.0 | โ |
Details
CVE-2021-34141
Vulnerable Library - numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
NumPy is the fundamental package for array computing with Python.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141
Publish Date: 2021-12-17
URL: CVE-2021-34141
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
Release Date: 2021-12-17
Fix Resolution: numpy - 1.22.0
Step up your Open Source Security Game with Mend here
Depfu Error: No dependency files found
Hello,
We've tried to activate or update your repository on Depfu and couldn't find any supported dependency files. If we were to guess, we would say that this is not actually a project Depfu supports and has probably been activated by error.
Monorepos
Please note that Depfu currently only searches for your dependency files in the root folder. We do support monorepos and non-root files, but don't auto-detect them. If that's the case with this repo, please send us a quick email with the folder you want Depfu to work on and we'll set it up right away!
How to deactivate the project
- Go to the Settings page of either your own account or the organization you've used
- Go to "Installed Integrations"
- Click the "Configure" button on the Depfu integration
- Remove this repo (AdamOswald/Huggingface-Space) from the list of accessible repos.
Please note that using the "All Repositories" setting doesn't make a lot of sense with Depfu.
If you think that this is a mistake
Please let us know by sending an email to [email protected].
This is an automated issue by Depfu. You're getting it because someone configured Depfu to automatically update dependencies on this project.
requests-2.28.1-py3-none-any.whl: 1 vulnerabilities (highest severity is: 6.1)
Vulnerable Library - requests-2.28.1-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/ca/91/6d9b8ccacd0412c08820f72cebaa4f0c0441b5cda699c90f618b6f8a1b42/requests-2.28.1-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (requests version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-32681 | Medium | 6.1 | requests-2.28.1-py3-none-any.whl | Direct | requests -2.31.0 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-32681
Vulnerable Library - requests-2.28.1-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/ca/91/6d9b8ccacd0412c08820f72cebaa4f0c0441b5cda699c90f618b6f8a1b42/requests-2.28.1-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ requests-2.28.1-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuild_proxies
to reattach the Proxy-Authorization
header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization
header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
Publish Date: 2023-05-26
URL: CVE-2023-32681
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-j8r2-6x86-q33q
Release Date: 2023-05-26
Fix Resolution: requests -2.31.0
Step up your Open Source Security Game with Mend here
No dependency management found for the default environment
No dependency management found for the default environment. If you want
to keep your dependencies managed, please submit Pipfile
or requirements.in
or requirements-dev.in
file.
To generate a Pipfile
, use:
$ pip install --upgrade --user thamos
$ thamos discover --src-path ./
$ git add Pipfile
$ git commit -m 'Add Pipfile for dependency management'
Make sure your Pipfile
or requirements.in
or requirements-dev.in
is placed in the root of your Git repository.
/kind feature
/priority important-soon
onnx-1.12.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl: 1 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - onnx-1.12.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Open Neural Network Exchange
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (onnx version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2022-25882 | High | 7.5 | onnx-1.12.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 1.13.1 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-25882
Vulnerable Library - onnx-1.12.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Open Neural Network Exchange
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ onnx-1.12.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Versions of the package onnx before 1.13.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory, for example "../../../etc/passwd"
Publish Date: 2023-01-26
URL: CVE-2022-25882
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-25882
Release Date: 2023-01-26
Fix Resolution: 1.13.1
Step up your Open Source Security Game with Mend here
[poe][release] Your next release
New release
Preparing for release
I propose we bump the minor version
- v0.0.0
- v0.0.0-rc.0
What's changed
Here are the most recent changes that you've introduced since last version (null)
Changelog Text
- Merge pull request #25 from AdamOswald/renovate/contrast-security-oss-contrastscan-action-digest by Adam Oswald
- Merge branch 'main' into renovate/contrast-security-oss-contrastscan-action-digest by Adam Oswald
- Merge pull request #26 from AdamOswald/renovate/forallsecure-mapi-action-digest by Adam Oswald
- Update ForAllSecure/mapi-action digest to 283b907 by renovate[bot]
- Update Contrast-Security-OSS/contrastscan-action digest to 7c52511 by renovate[bot]
- Merge pull request #21 from AdamOswald/renovate/configure by Adam Oswald
- Merge branch 'main' into renovate/configure by Adam Oswald
- Update .gitattributes by Adam Oswald
- Merge branch 'main' into renovate/configure by Adam Oswald
- Update .gitattributes by Adam Oswald
- Create .restyled.yml by Adam Oswald
- Create .restyled.yaml by Adam Oswald
- Add renovate.json by renovate[bot]
- Merge pull request #18 from AdamOswald/AdamOswald-patch-1 by Adam Oswald
- Add files via upload by Adam Oswald
- Add files via upload by Adam Oswald
- Merge pull request #17 from BrentWJacobs/main by Brent Jacobs
- Update microsoft-action-python.yml by Brent Jacobs
- Merge pull request #16 from BrentWJacobs/main by Brent Jacobs
- Update python-package.yml by Brent Jacobs
- Merge pull request #15 from AdamOswald/AdamOswald-patch-1 by Adam Oswald
- Update snyk.yml by Adam Oswald
- Create sonarcloud.yml by Adam Oswald
- Delete sonarcloud.yml by Adam Oswald
- Update snyk-container.yml by Adam Oswald
- Update neuralegion.yml by Adam Oswald
- Update codescan.yml by Adam Oswald
- Update codeql.yml by Adam Oswald
- Update codacy.yml by Adam Oswald
- Add files via upload by Adam Oswald
- Create cleanthat.json by Adam Oswald
- Merge pull request #14 from BrentWJacobs/main by Brent Jacobs
- Merge branch 'AdamOswald:main' into main by Brent Jacobs
- Merge pull request #1 from BrentWJacobs/circleci-project-setup by Brent Jacobs
- Merge pull request #13 from BrentWJacobs/circleci-project-setup by Brent Jacobs
- Add .circleci/config.yml by Brent Jacobs
- Merge pull request #12 from BrentWJacobs/main by Brent Jacobs
- Create ossar.yml by Brent Jacobs
- Create dependabot.yml by Brent Jacobs
- Delete dependabot.yml by Brent Jacobs
- Create mayhem-for-api.yml by Brent Jacobs
- Merge pull request #11 from AdamOswald/AdamOswald-patch-1 by Adam Oswald
- Add files via upload by Adam Oswald
- Update requirements.txt by Adam Oswald
- Merge pull request #9 from AdamOswald/snyk-fix-3014c80cc920b95661277cc2b2be89dd by Adam Oswald
- Merge branch 'main' into snyk-fix-3014c80cc920b95661277cc2b2be89dd by Adam Oswald
- Update requirements.txt by Adam Oswald
- Merge pull request #8 from AdamOswald/snyk-fix-0a5b838840b5ffeaa5352048aa083419 by Adam Oswald
- Merge branch 'main' into snyk-fix-0a5b838840b5ffeaa5352048aa083419 by Adam Oswald
- Update requirements.txt by Adam Oswald
- fix: requirements.txt to reduce vulnerabilities by snyk-bot
- fix: requirements.txt to reduce vulnerabilities by snyk-bot
- Update requirements.txt by Adam Oswald
- Update requirements.txt by Adam Oswald
- Add files via upload by Adam Oswald
- Add files via upload by Adam Oswald
- Add files via upload by Adam Oswald
- Add files via upload by Adam Oswald
- Add files via upload by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update dependabot.yml by Adam Oswald
- Create dependabot.yml by Adam Oswald
- Create symfony.yml by Adam Oswald
- Create super-linter.yml by Adam Oswald
- Create python-package.yml by Adam Oswald
- Create codeql.yml by Adam Oswald
- Create dependency-review.yml by Adam Oswald
- Create codacy.yml by Adam Oswald
- Create neuralegion.yml by Adam Oswald
- Create pyre.yml by Adam Oswald
- Create pysa.yml by Adam Oswald
- Create codescan.yml by Adam Oswald
- Create snyk-container.yml by Adam Oswald
- Create sonarcloud.yml by Adam Oswald
- Create python-app.yml by Adam Oswald
- Create pylint.yml by Adam Oswald
- Create python-package-conda.yml by Adam Oswald
- Merge pull request #3 from AdamOswald/zeobot-installation by Adam Oswald
- Update .thoth.yaml by Adam Oswald
- ZeoBot's Configuration file was created with the default values by zeobot[bot]
- Update .gitignore by Adam Oswald
- Delete Symfony.patch by Adam Oswald
- Update .gitignore by Adam Oswald
- Delete Python.patch by Adam Oswald
- Update .gitignore by Adam Oswald
- Delete JetBrains.patch by Adam Oswald
- Update .gitignore by Adam Oswald
- Delete JetBrains+all.patch by Adam Oswald
- Create .gitattributes (#10) by Adam Oswald
- Create .gitmodules (#9) by Adam Oswald
- Create .gitignore (#8) by Adam Oswald
- Upload 4 files by Adam Oswald
- Update app.py by Adam Oswald
- Update app.py by Adam Oswald
- Upload app.py (#7) by Adam Oswald
- Update requirements.txt by Adam Oswald
- Create .github/python.json by Adam Oswald
- Upload 8 files (#6) by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update app.py by Adam Oswald
- Update .gitattributes by Adam Oswald
- Update app.py by Adam Oswald
- Update .gitattributes by Adam Oswald
- Update app.py by Adam Oswald
- Update app.py by Adam Oswald
- Update app.py by Adam Oswald
- Update app.py by Adam Oswald
- Update app.py by Adam Oswald
- Update .gitattributes by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update packages.txt by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update requirements.txt by Adam Oswald
- Upload 2 files by Adam Oswald
- Upload ddpm-128-exp000.png by Adam Oswald
- Create style.css by Adam Oswald
- Update requirements.txt by Adam Oswald
- Create .style.yapf by Adam Oswald
- Create .pre-commit-config.yaml by Adam Oswald
- Update .gitattributes by Adam Oswald
- Create .gitmodules by Adam Oswald
- Delete examples/s by Adam Oswald
- Upload 4 files by Adam Oswald
- Create examples/s by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update .gitattributes by Adam Oswald
- Delete samples/s by Adam Oswald
- Upload 10 files by Adam Oswald
- Create samples/s by Adam Oswald
- Update packages.txt by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update .gitignore by Adam Oswald
- Update .gitattributes by Adam Oswald
- Create init.py by Adam Oswald
- Update app.py by Adam Oswald
- Update app.py by Adam Oswald
- Create transfer.py by Adam Oswald
- Update utils.py by Adam Oswald
- Create packages.txt by Adam Oswald
- Update .gitignore by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update .gitignore by Adam Oswald
- Update app.py by Adam Oswald
- Update app.py by Adam Oswald
- Delete extract.py by Adam Oswald
- Update app.py by Adam Oswald
- Create app.py by Adam Oswald
- Delete run.py by Adam Oswald
- Update app.py by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update .gitignore by Adam Oswald
- Update .gitattributes by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update .gitignore by Adam Oswald
- Update app.py by Adam Oswald
- Update app.py by Adam Oswald
- Update .gitattributes by Adam Oswald
- Update Makefile by Adam Oswald
- Update app.py by Adam Oswald
- Update README.md by Adam Oswald
- Update README.md by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update app.py by Adam Oswald
- Update app.py by Adam Oswald
- Update README.md by Adam Oswald
- Update README.md by Adam Oswald
- Create .gitignore by Adam Oswald
- Create Makefile by Adam Oswald
- Create extract.py by Adam Oswald
- Create run.py by Adam Oswald
- Update app.py by Adam Oswald
- Upload keywords.txt by Adam Oswald
- Upload keywords.txt by Adam Oswald
- Upload flavors.txt by Adam Oswald
- Create movements.txt by Adam Oswald
- Create artists.txt by Adam Oswald
- Create data/mediums.txt by Adam Oswald
- Update app.py by Adam Oswald
- Update app.py by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update requirements.txt by Adam Oswald
- Update app.py by Adam Oswald
- Update .gitattributes by Adam Oswald
- Upload 2 files by Adam Oswald
- Update README.md by Adam Oswald
- Create app.py (#5) by Adam Oswald
- Create requirements.txt by Adam Oswald
- Create .gitattributes (#4) by Adam Oswald
- Create .gitattributes (#3) by Adam Oswald
- Create .gitattributes by Adam Oswald
- Create .gitattributes (#1) by Adam Oswald
- initial commit by Adam Oswald
Releasing
If you would like poe to create a release for you, comment on this issue with the following:
/release:v0.0.0
/release:v0.0.0-rc.0
In case you have a special requirement you may enter which version you see fit
nltk-3.7-py3-none-any.whl: 2 vulnerabilities (highest severity is: 6.1)
Vulnerable Library - nltk-3.7-py3-none-any.whl
Natural Language Toolkit
Library home page: https://files.pythonhosted.org/packages/43/0b/8298798bc5a9a007b7cae3f846a3d9a325953e0f9c238affa478b4d59324/nltk-3.7-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (nltk version) | Remediation Possible** |
---|---|---|---|---|---|---|
WS-2022-0437 | Medium | 6.1 | nltk-3.7-py3-none-any.whl | Direct | 3.8.1 | โ |
WS-2022-0438 | Medium | 5.0 | nltk-3.7-py3-none-any.whl | Direct | 3.8.1 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2022-0437
Vulnerable Library - nltk-3.7-py3-none-any.whl
Natural Language Toolkit
Library home page: https://files.pythonhosted.org/packages/43/0b/8298798bc5a9a007b7cae3f846a3d9a325953e0f9c238affa478b4d59324/nltk-3.7-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ nltk-3.7-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
In nltk/nltk, a reflected XSS can be achieved by simply creating a URL, which leads to browser hijacking, and sensitive information loss.
Publish Date: 2022-12-23
URL: WS-2022-0437
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/861a8d11-0fe9-4c2f-9112-af3a9559fa87/
Release Date: 2022-12-23
Fix Resolution: 3.8.1
Step up your Open Source Security Game with Mend here
WS-2022-0438
Vulnerable Library - nltk-3.7-py3-none-any.whl
Natural Language Toolkit
Library home page: https://files.pythonhosted.org/packages/43/0b/8298798bc5a9a007b7cae3f846a3d9a325953e0f9c238affa478b4d59324/nltk-3.7-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ nltk-3.7-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
In nltk prior to 3.8.1, a user who visits a malicious link with wordnet browser open will execute code on system. This may lead to RCE by inducing user to visit a link.
Publish Date: 2022-12-29
URL: WS-2022-0438
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/cd3957f0-2c9c-416d-bc3a-190a5b7ce4a6/
Release Date: 2022-12-29
Fix Resolution: 3.8.1
Step up your Open Source Security Game with Mend here
pip-22.3.1-py3-none-any.whl: 1 vulnerabilities (highest severity is: 3.3)
Vulnerable Library - pip-22.3.1-py3-none-any.whl
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/09/bd/2410905c76ee14c62baf69e3f4aa780226c1bbfc9485731ad018e35b0cb5/pip-22.3.1-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (pip version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-5752 | Low | 3.3 | pip-22.3.1-py3-none-any.whl | Direct | 23.3 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-5752
Vulnerable Library - pip-22.3.1-py3-none-any.whl
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/09/bd/2410905c76ee14c62baf69e3f4aa780226c1bbfc9485731ad018e35b0cb5/pip-22.3.1-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ pip-22.3.1-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone"
call (ie "--config"). Controlling the Mercurial configuration can modify
how and which repository is installed. This vulnerability does not
affect users who aren't installing from Mercurial.
Publish Date: 2023-10-25
URL: CVE-2023-5752
CVSS 3 Score Details (3.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-5752
Release Date: 2023-10-25
Fix Resolution: 23.3
Step up your Open Source Security Game with Mend here
paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl: 30 vulnerabilities (highest severity is: 9.8)
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (paddlepaddle version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-38673 | Critical | 9.8 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.5.0 | โ |
CVE-2023-38671 | Critical | 9.8 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.5.0 | โ |
CVE-2023-38669 | Critical | 9.8 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.5.0 | โ |
CVE-2022-45908 | Critical | 9.8 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.4.0 | โ |
CVE-2023-52314 | Critical | 9.6 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2023-52311 | Critical | 9.6 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2023-52310 | Critical | 9.6 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2024-0917 | Critical | 9.4 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | N/A | โ |
CVE-2024-0817 | Critical | 9.3 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | N/A | โ |
CVE-2024-0815 | Critical | 9.3 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | N/A | โ |
CVE-2024-0818 | Critical | 9.1 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2022-46741 | Critical | 9.1 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.4.0 | โ |
CVE-2023-52309 | High | 8.2 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2023-52307 | High | 8.2 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2023-52304 | High | 8.2 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2024-0521 | High | 7.8 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2023-38672 | High | 7.5 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.5.0 | โ |
CVE-2023-38670 | High | 7.5 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.5.0 | โ |
CVE-2023-52313 | Medium | 4.7 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2023-52312 | Medium | 4.7 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2023-52308 | Medium | 4.7 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2023-52306 | Medium | 4.7 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2023-52305 | Medium | 4.7 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2023-52303 | Medium | 4.7 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2023-52302 | Medium | 4.7 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2023-38678 | Medium | 4.7 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2023-38677 | Medium | 4.7 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2023-38676 | Medium | 4.7 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2023-38675 | Medium | 4.7 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
CVE-2023-38674 | Medium | 4.7 | paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl | Direct | 2.6.0 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (25 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2023-38673
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
PaddlePaddle before 2.5.0 has a command injection in fs.py. This resulted inย the ability to execute arbitrary commands on the operating system.
Publish Date: 2023-07-26
URL: CVE-2023-38673
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2023-07-26
Fix Resolution: 2.5.0
Step up your Open Source Security Game with Mend here
CVE-2023-38671
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Heap buffer overflow in paddle.trace in PaddlePaddle before 2.5.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible.
Publish Date: 2023-07-26
URL: CVE-2023-38671
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2023-07-26
Fix Resolution: 2.5.0
Step up your Open Source Security Game with Mend here
CVE-2023-38669
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Use after free in paddle.diagonal in PaddlePaddle before 2.5.0. This resulted in a potentially exploitable condition.
Publish Date: 2023-07-26
URL: CVE-2023-38669
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2023-07-26
Fix Resolution: 2.5.0
Step up your Open Source Security Game with Mend here
CVE-2022-45908
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vulnerable to code injection because it calls eval on a user-supplied winstr. This may lead to arbitrary code execution.
Publish Date: 2022-11-26
URL: CVE-2022-45908
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-45908
Release Date: 2022-11-26
Fix Resolution: 2.4.0
Step up your Open Source Security Game with Mend here
CVE-2023-52314
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
PaddlePaddle before 2.6.0 has a command injection in convert_shape_compare. This resulted in the ability to execute arbitrary commands on the operating system.
Publish Date: 2024-01-03
URL: CVE-2023-52314
CVSS 3 Score Details (9.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52314
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2023-52311
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
PaddlePaddle before 2.6.0 has a command injection in _wget_download. This resulted in the ability to execute arbitrary commands on the operating system.
Publish Date: 2024-01-03
URL: CVE-2023-52311
CVSS 3 Score Details (9.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52311
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2023-52310
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
PaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval. This resulted in the ability to execute arbitrary commands on the operating system.
Publish Date: 2024-01-03
URL: CVE-2023-52310
CVSS 3 Score Details (9.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52310
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2024-0917
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
remote code execution in paddlepaddle/paddle 2.6.0
Publish Date: 2024-03-07
URL: CVE-2024-0917
CVSS 3 Score Details (9.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low
Step up your Open Source Security Game with Mend here
CVE-2024-0817
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Command injection in IrGraph.draw in paddlepaddle/paddle 2.6.0
Publish Date: 2024-03-07
URL: CVE-2024-0817
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2024-0815
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Command injection in paddle.utils.download._wget_download (bypass filter) in paddlepaddle/paddle 2.6.0
Publish Date: 2024-03-07
URL: CVE-2024-0815
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2024-0818
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Arbitrary File Overwrite Via Path Traversal in paddlepaddle/paddle before 2.6
Publish Date: 2024-03-07
URL: CVE-2024-0818
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://huntr.com/bounties/85b06a1b-ac0b-4096-a06d-330891570cd9/
Release Date: 2024-03-07
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2022-46741
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Out-of-bounds read in gather_tree in PaddlePaddle before 2.4.
Publish Date: 2022-12-07
URL: CVE-2022-46741
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-2hvc-hwg3-hpvw
Release Date: 2022-12-07
Fix Resolution: 2.4.0
Step up your Open Source Security Game with Mend here
CVE-2023-52309
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Heap buffer overflow in paddle.repeat_interleaveย in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible.
Publish Date: 2024-01-03
URL: CVE-2023-52309
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52309
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2023-52307
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Stack overflow in paddle.linalg.lu_unpackย in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage.
Publish Date: 2024-01-03
URL: CVE-2023-52307
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52307
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2023-52304
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Stack overflow in paddle.searchsortedย in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage.
Publish Date: 2024-01-03
URL: CVE-2023-52304
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52303
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2024-0521
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Code Injection in paddlepaddle/paddle
Publish Date: 2024-01-20
URL: CVE-2024-0521
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://huntr.com/bounties/a569c64b-1e2b-4bed-a19f-47fd5a3da453/
Release Date: 2024-01-20
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2023-38672
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
FPE in paddle.trace in PaddlePaddle before 2.5.0. This flaw can cause a runtime crash and a denial of service.
Publish Date: 2023-07-26
URL: CVE-2023-38672
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-38672
Release Date: 2023-07-26
Fix Resolution: 2.5.0
Step up your Open Source Security Game with Mend here
CVE-2023-38670
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Null pointer dereference in paddle.flip in PaddlePaddle before 2.5.0. This resulted in a runtime crash and denial of service.
Publish Date: 2023-07-26
URL: CVE-2023-38670
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2023-07-26
Fix Resolution: 2.5.0
Step up your Open Source Security Game with Mend here
CVE-2023-52313
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
FPE in paddle.argmin and paddle.argmaxย in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
Publish Date: 2024-01-03
URL: CVE-2023-52313
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52313
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2023-52312
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Nullptr dereference in paddle.cropย in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
Publish Date: 2024-01-03
URL: CVE-2023-52312
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52312
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2023-52308
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
FPE in paddle.aminย in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
Publish Date: 2024-01-03
URL: CVE-2023-52308
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52308
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2023-52306
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
FPE in paddle.lerpย in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
Publish Date: 2024-01-03
URL: CVE-2023-52306
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52306
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2023-52305
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
FPE in paddle.topkย in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
Publish Date: 2024-01-03
URL: CVE-2023-52305
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52305
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2023-52303
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Nullptr in paddle.put_along_axisย in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
Publish Date: 2024-01-03
URL: CVE-2023-52303
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52303
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2023-52302
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Nullptr in paddle.nextafterย in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
Publish Date: 2024-01-03
URL: CVE-2023-52302
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52302
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend here
grpcio-1.50.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl: 1 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - grpcio-1.50.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
HTTP/2-based RPC framework
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (grpcio version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-32731 | High | 7.5 | grpcio-1.50.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | grpc - 1.53.1,1.54.2, grpcio - 1.53.1,1.54.2 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-32731
Vulnerable Library - grpcio-1.50.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
HTTP/2-based RPC framework
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ grpcio-1.50.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained inย grpc/grpc#33005 grpc/grpc#33005
Publish Date: 2023-06-09
URL: CVE-2023-32731
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-32731
Release Date: 2023-06-09
Fix Resolution: grpc - 1.53.1,1.54.2, grpcio - 1.53.1,1.54.2
Step up your Open Source Security Game with Mend here
ipython-7.34.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.0)
Vulnerable Library - ipython-7.34.0-py3-none-any.whl
IPython: Productive Interactive Computing
Library home page: https://files.pythonhosted.org/packages/7c/6a/1f1365f4bf9fcb349fcaa5b61edfcefa721aa13ff37c5631296b12fab8e5/ipython-7.34.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (ipython version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-24816 | High | 7.0 | ipython-7.34.0-py3-none-any.whl | Direct | 8.10.0 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-24816
Vulnerable Library - ipython-7.34.0-py3-none-any.whl
IPython: Productive Interactive Computing
Library home page: https://files.pythonhosted.org/packages/7c/6a/1f1365f4bf9fcb349fcaa5b61edfcefa721aa13ff37c5631296b12fab8e5/ipython-7.34.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ ipython-7.34.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function IPython.utils.terminal.set_term_title
be called on Windows in a Python environment where ctypes is not available. The dependency on ctypes
in IPython.utils._process_win32
prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool set_term_title
could be called and hence introduce a vulnerability. Should an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. Users of ipython as a library are advised to upgrade. Users unable to upgrade should ensure that any calls to the IPython.utils.terminal.set_term_title
function are done with trusted or filtered input.
Publish Date: 2023-02-10
URL: CVE-2023-24816
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-24816
Release Date: 2023-02-10
Fix Resolution: 8.10.0
Step up your Open Source Security Game with Mend here
Pillow-9.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl: 2 vulnerabilities (highest severity is: 8.1)
Vulnerable Library - Pillow-9.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Python Imaging Library (Fork)
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (Pillow version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-50447 | High | 8.1 | Pillow-9.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | pillow - 10.2.0 | โ |
CVE-2023-44271 | High | 7.5 | Pillow-9.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | Pillow - 10.0.0 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-50447
Vulnerable Library - Pillow-9.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Python Imaging Library (Fork)
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ Pillow-9.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
Publish Date: 2024-01-19
URL: CVE-2023-50447
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2024/01/20/1
Release Date: 2024-01-19
Fix Resolution: pillow - 10.2.0
Step up your Open Source Security Game with Mend here
CVE-2023-44271
Vulnerable Library - Pillow-9.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Python Imaging Library (Fork)
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ Pillow-9.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
Publish Date: 2023-11-03
URL: CVE-2023-44271
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2023-11-03
Fix Resolution: Pillow - 10.0.0
Step up your Open Source Security Game with Mend here
mpmath-1.2.1-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - mpmath-1.2.1-py3-none-any.whl
Python library for arbitrary-precision floating-point arithmetic
Library home page: https://files.pythonhosted.org/packages/d4/cf/3965bddbb4f1a61c49aacae0e78fd1fe36b5dc36c797b31f30cf07dcbbb7/mpmath-1.2.1-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (mpmath version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-29063 | High | 7.5 | mpmath-1.2.1-py3-none-any.whl | Direct | N/A | โ |
Details
CVE-2021-29063
Vulnerable Library - mpmath-1.2.1-py3-none-any.whl
Python library for arbitrary-precision floating-point arithmetic
Library home page: https://files.pythonhosted.org/packages/d4/cf/3965bddbb4f1a61c49aacae0e78fd1fe36b5dc36c797b31f30cf07dcbbb7/mpmath-1.2.1-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ mpmath-1.2.1-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Mpmath v1.0.0 through v1.2.1 when the mpmathify function is called.
Mend Note: After conducting further research, Mend has determined that all versions of mpmath through 1.2.1 are vulnerable to CVE-2021-29063.
Publish Date: 2021-06-21
URL: CVE-2021-29063
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with Mend here
gradio-3.4b2-py3-none-any.whl: 4 vulnerabilities (highest severity is: 9.8)
Vulnerable Library - gradio-3.4b2-py3-none-any.whl
Python library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (gradio version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-25823 | Critical | 9.8 | gradio-3.4b2-py3-none-any.whl | Direct | 3.13.1 | โ |
CVE-2024-0964 | Critical | 9.4 | gradio-3.4b2-py3-none-any.whl | Direct | 4.9.0 | โ |
CVE-2023-34239 | Critical | 9.1 | gradio-3.4b2-py3-none-any.whl | Direct | 3.33.0 | โ |
CVE-2023-51449 | High | 7.5 | gradio-3.4b2-py3-none-any.whl | Direct | 4.11.0 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-25823
Vulnerable Library - gradio-3.4b2-py3-none-any.whl
Python library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ gradio-3.4b2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting share=True
), a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. This issue is patched in version 3.13.1, however, users are recommended to update to 3.19.1 or later where the FRP solution has been properly tested.
Publish Date: 2023-02-23
URL: CVE-2023-25823
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3x5j-9vwr-8rr5
Release Date: 2023-02-23
Fix Resolution: 3.13.1
Step up your Open Source Security Game with Mend here
CVE-2024-0964
Vulnerable Library - gradio-3.4b2-py3-none-any.whl
Python library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ gradio-3.4b2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request.
Publish Date: 2024-02-05
URL: CVE-2024-0964
CVSS 3 Score Details (9.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2024-02-05
Fix Resolution: 4.9.0
Step up your Open Source Security Game with Mend here
CVE-2023-34239
Vulnerable Library - gradio-3.4b2-py3-none-any.whl
Python library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ gradio-3.4b2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in version 3.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2023-06-08
URL: CVE-2023-34239
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-3qqg-pgqq-3695
Release Date: 2023-06-08
Fix Resolution: 3.33.0
Step up your Open Source Security Game with Mend here
CVE-2023-51449
Vulnerable Library - gradio-3.4b2-py3-none-any.whl
Python library for easily interacting with trained machine learning models
Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ gradio-3.4b2-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of gradio
prior to 4.11.0 contained a vulnerability in the /file
route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with share=True
, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.
Publish Date: 2023-12-22
URL: CVE-2023-51449
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-51449
Release Date: 2023-12-22
Fix Resolution: 4.11.0
Step up your Open Source Security Game with Mend here
aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl: 6 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (aiohttp version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2024-23334 | High | 7.5 | aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 3.9.2 | โ |
CVE-2023-47627 | High | 7.5 | aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 3.8.6 | โ |
CVE-2023-37276 | High | 7.5 | aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 3.8.5 | โ |
CVE-2024-23829 | Medium | 6.5 | aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 3.9.2 | โ |
CVE-2023-49082 | Medium | 5.3 | aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 3.9.0 | โ |
CVE-2023-49081 | Medium | 5.3 | aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 3.9.0 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-23334
Vulnerable Library - aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
Publish Date: 2024-01-29
URL: CVE-2024-23334
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-5h86-8mv2-jq9f
Release Date: 2024-01-29
Fix Resolution: 3.9.2
Step up your Open Source Security Game with Mend here
CVE-2023-47627
Vulnerable Library - aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit d5c12ba89
which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.
Publish Date: 2023-11-14
URL: CVE-2023-47627
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-gfw2-4jvh-wgfg
Release Date: 2023-11-14
Fix Resolution: 3.8.6
Step up your Open Source Security Game with Mend here
CVE-2023-37276
Vulnerable Library - aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie aiohttp.Application
), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie aiohttp.ClientSession
). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using AIOHTTP_NO_EXTENSIONS=1
as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.
Publish Date: 2023-07-19
URL: CVE-2023-37276
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-45c4-8wx5-qw6w
Release Date: 2023-07-19
Fix Resolution: 3.8.5
Step up your Open Source Security Game with Mend here
CVE-2024-23829
Vulnerable Library - aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.
Publish Date: 2024-01-29
URL: CVE-2024-23829
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-8qpw-xqxj-h4r2
Release Date: 2024-01-29
Fix Resolution: 3.9.2
Step up your Open Source Security Game with Mend here
CVE-2023-49082
Vulnerable Library - aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.
Publish Date: 2023-11-29
URL: CVE-2023-49082
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-qvrw-v9rv-5rjx
Release Date: 2023-11-29
Fix Resolution: 3.9.0
Step up your Open Source Security Game with Mend here
CVE-2023-49081
Vulnerable Library - aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- โ aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.
Publish Date: 2023-11-30
URL: CVE-2023-49081
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-q3qx-c6g2-7pw2
Release Date: 2023-11-30
Fix Resolution: 3.9.0
Step up your Open Source Security Game with Mend here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.