Vulnerable Library - pyarrow-10.0.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python library for Apache Arrow

Library home page: https://files.pythonhosted.org/packages/48/5a/5a52d6af126e6083b88cebd85a414a75c4a155f1f55f0bd87f61fad188ef/pyarrow-10.0.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

CVE-2023-47248

Vulnerable Library - pyarrow-10.0.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python library for Apache Arrow

Library home page: https://files.pythonhosted.org/packages/48/5a/5a52d6af126e6083b88cebd85a414a75c4a155f1f55f0bd87f61fad188ef/pyarrow-10.0.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ pyarrow-10.0.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).

This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.

It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.

If it is not possible to upgrade, we provide a separate package pyarrow-hotfix that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.

Publish Date: 2023-11-09

URL: CVE-2023-47248

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n

Release Date: 2023-11-09

Fix Resolution: 14.0.1

Step up your Open Source Security Game with Mend here

.circleci/config.yml

.github/workflows/auto-pipreqs.yml

• timmypidashev/auto-pipreqs v3.1.0

.github/workflows/autofix.yml

• actions/checkout v3
• autofix-ci/action 8bc06253bec489732e5f9c52884c7cace15c0160
• actions/checkout v3
• install-pinned/pyupgrade 423622e7c2088eeba495a591385ec22074284f90
• install-pinned/reorder_python_imports 515035fd9eb355713f61dee238b17a04ce01f4d2
• install-pinned/autoflake 1a248450153f02b75d051acf6c2a05df8c797666
• install-pinned/black 9101a4d68e870eaaaae21c412d1d879b93c9afcb
• autofix-ci/action 8bc06253bec489732e5f9c52884c7cace15c0160
• actions/checkout v3
• autofix-ci/action 8bc06253bec489732e5f9c52884c7cace15c0160

.github/workflows/checkout.yml

• actions/checkout v3.3.0
• actions/checkout v3

.github/workflows/codacy.yml

• actions/checkout v3
• codacy/codacy-analysis-cli-action cfff30e3217c728b97114255e6236e4d3c72c98c
• github/codeql-action v2

.github/workflows/codeql.yml

• actions/checkout v3
• github/codeql-action v2
• github/codeql-action v2
• github/codeql-action v2

.github/workflows/codescan.yml

• actions/checkout v3
• actions/cache v3
• codescan-io/codescan-scanner-action 701450bd7630d7fe7f0551fc5679e8f1db87dbd4
• github/codeql-action v2

.github/workflows/contrast-scan.yml

• actions/checkout v3
• Contrast-Security-OSS/contrastscan-action 7c525114dfe622648f6227374937d4e0531558fd
• github/codeql-action v2

.github/workflows/datree-validation.yml

• actions/checkout v3
• tj-actions/changed-files v35

.github/workflows/dependency-review.yml

• actions/checkout v3
• actions/dependency-review-action v3

.github/workflows/django.yml

• actions/checkout v3
• actions/setup-python v4

.github/workflows/docker-image.yml

• actions/checkout v3

.github/workflows/docker-publish.yml

• actions/checkout v3
• sigstore/cosign-installer v2.8.1@9becc617647dfa20ae7b1151972e9b3a2c338a2b
• docker/setup-buildx-action 165fe681b849eec43aaa64d786b9ec53e690475f
• docker/login-action 3da7dc6e2b31f99ef2cb9fb4c50fb0971e0d0139
• docker/metadata-action 507c2f2dc502c992ad446e3d7a5dfbe311567a96
• docker/build-push-action 37abcedcc1da61a57767b7588cb9d03eb57e28b3

.github/workflows/flawfinder.yml

• actions/checkout v3
• david-a-wheeler/flawfinder 614801f704906a94ae420a5023c37008e22d7b95
• github/codeql-action v2

.github/workflows/g-snyk.yml

• turtlebrowser/get-snyk v1.0

.github/workflows/install-python-pipenv-pipfile.yml

• palewire/install-python-pipenv-pipfile v2
• actions/checkout v3
• palewire/install-python-pipenv-pipfile v2
• actions/setup-python v4
• actions/cache v3

.github/workflows/mayhem-for-api.yml

• actions/checkout v3
• ForAllSecure/mapi-action 17f120e2ff4e083681085b3d9b08708aea895e2c
• github/codeql-action v2

.github/workflows/microsoft-action-python.yml

• microsoft/action-python 0.2.0
• dciborow/pyaction 0.0.30
• dciborow/pyaction 0.0.30
• dciborow/pyaction 0.0.30
• dciborow/pyaction 0.0.30
• dciborow/pyaction 0.0.30
• dciborow/pyaction 0.0.30
• rickstaa/action-black v1
• reviewdog/action-suggester v1
• dciborow/action-bandit 0.0.2
• reviewdog/action-flake8 v3
• dciborow/action-pylint 0.0.7
• jakebailey/pyright-action v1.4.1
• actions/setup-python v4

.github/workflows/msvc.yml

• actions/checkout v3
• microsoft/msvc-code-analysis-action 24c285ab36952c9e9182f4b78dfafbac38a7e5ee
• github/codeql-action v2

.github/workflows/neuralegion.yml

• actions/checkout v3
• NeuraLegion/run-scan 0069b47c4e4b6a2b0ac014a9db0e926fda21d3b1
• ubuntu 18.04

.github/workflows/ossar.yml

• actions/checkout v3
• github/ossar-action v1
• github/codeql-action v2

.github/workflows/py-dependency-install.yml

• py-actions/py-dependency-install v4.0.0
• vednig/pyinstaller-action-windows v0.1.5
• actions/setup-python v4.5.0
• py-actions/py-dependency-install v4
• py-actions/py-dependency-install v4
• py-actions/py-dependency-install v4
• py-actions/py-dependency-install v4

.github/workflows/pylint.yml

• actions/checkout v3
• actions/setup-python v4

.github/workflows/pyre.yml

• actions/checkout v3
• facebook/pyre-action 6dc86fc8f40e0f15cdd8a59d9f93294cf72a0863

.github/workflows/pysa.yml

• actions/checkout v3
• facebook/pysa-action f46a63777e59268613bd6e2ff4e29f144ca9e88b

.github/workflows/python-app.yml

• actions/checkout v3
• actions/setup-python v4

.github/workflows/python-package-conda.yml

• actions/checkout v3
• actions/setup-python v4

.github/workflows/python-package.yml

• actions/checkout v3
• actions/setup-python v4

.github/workflows/python-publish.yml

• actions/checkout v3
• actions/setup-python v4
• pypa/gh-action-pypi-publish 7eb3b701d11256e583f5b49899c5e7203deab573

.github/workflows/securitycodescan.yml

• actions/checkout v3
• nuget/setup-nuget 4cc6b0f837d65c0bd18565538a1d8a0d3dcfa60a
• microsoft/setup-msbuild v1.1.3
• security-code-scan/security-code-scan-add-action 95291dec3220baeb23648cf09e55e87dcda0d43b
• security-code-scan/security-code-scan-results-action 873fde2b46c10b7b3da204145d22377caad73420
• github/codeql-action v2

.github/workflows/setup-python.yml

• actions/setup-python v4.5.0

.github/workflows/snyk-container.yml

• actions/checkout v3
• snyk/actions e25b2e6f5658d1bb7a6671b113260f13134cc3af
• github/codeql-action v2

.github/workflows/snyk-infrastructure.yml

• actions/checkout v3
• snyk/actions e25b2e6f5658d1bb7a6671b113260f13134cc3af
• github/codeql-action v2

.github/workflows/snyk.yml

• snyk/actions 0.3.0
• actions/setup-go v3

.github/workflows/sonarcloud.yml

• SonarSource/sonarcloud-github-action cb201f3b2d7a38231a8c042dfea4539c8bea180b

.github/workflows/soos-dast-scan.yml

• soos-io/soos-dast-github-action 3e71b27756f4ed77d7ad3c0ad92afddb47a40e4d
• github/codeql-action v2

.github/workflows/stackaid-dependency-generator.yml

• stackaid/generate-stackaid-json v1.9
• actions/checkout v3
• actions/setup-go v3
• stackaid/generate-stackaid-json v1.9

.github/workflows/super-linter.yml

• actions/checkout v3
• github/super-linter v4

.github/workflows/supersnyk.yml

• mishabruml/supersnyk v1.1.3

.github/workflows/symfony.yml

• shivammathur/setup-php 2b77dd6b79c3203adc3e3809cde9687bf5834238
• actions/checkout v3
• actions/cache v3

.github/workflows/update-yaml.yaml

• actions/setup-python v4

.github/workflows/yamale-docker-action.yml

• eXpire163/yamale-docker-action v3.2
• actions/checkout v3

requirements.txt

Vulnerable Library - protobuf-3.20.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Protocol Buffers

Library home page: https://files.pythonhosted.org/packages/af/26/cf27940ece6bb8890a67f741eb9da5359b72749f816edf210a28fe01a247/protobuf-3.20.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

CVE-2022-1941

Vulnerable Library - protobuf-3.20.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Protocol Buffers

Library home page: https://files.pythonhosted.org/packages/af/26/cf27940ece6bb8890a67f741eb9da5359b72749f816edf210a28fe01a247/protobuf-3.20.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ protobuf-3.20.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Publish Date: 2022-09-22

URL: CVE-2022-1941

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cloud.google.com/support/bulletins#GCP-2022-019

Release Date: 2022-09-22

Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6

Step up your Open Source Security Game with Mend here

Vulnerable Library - protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Protocol Buffers

Library home page: https://files.pythonhosted.org/packages/21/9b/258771d72fd2cf27eed3cfea1fc957a12666ccde394b294ac563fca23f2d/protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

CVE-2022-1941

Vulnerable Library - protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Protocol Buffers

Library home page: https://files.pythonhosted.org/packages/21/9b/258771d72fd2cf27eed3cfea1fc957a12666ccde394b294ac563fca23f2d/protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Publish Date: 2022-09-22

URL: CVE-2022-1941

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cloud.google.com/support/bulletins#GCP-2022-019

Release Date: 2022-09-22

Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6

Step up your Open Source Security Game with Mend here

Vulnerable Library - Flask-2.2.2-py3-none-any.whl

A simple framework for building complex web applications.

Library home page: https://files.pythonhosted.org/packages/0f/43/15f4f9ab225b0b25352412e8daa3d0e3d135fcf5e127070c74c3632c8b4c/Flask-2.2.2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

CVE-2023-30861

Vulnerable Library - Flask-2.2.2-py3-none-any.whl

A simple framework for building complex web applications.

Library home page: https://files.pythonhosted.org/packages/0f/43/15f4f9ab225b0b25352412e8daa3d0e3d135fcf5e127070c74c3632c8b4c/Flask-2.2.2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Flask-2.2.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.

1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
2. The application sets session.permanent = True
3. The application does not access or modify the session at any point during a request.
4. SESSION_REFRESH_EACH_REQUEST enabled (the default).
5. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.

This happens because vulnerable versions of Flask only set the Vary: Cookie header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.

Publish Date: 2023-05-02

URL: CVE-2023-30861

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-30861

Release Date: 2023-05-02

Fix Resolution: 2.2.5

Step up your Open Source Security Game with Mend here

Vulnerable Library - torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl

Tensors and Dynamic neural networks in Python with strong GPU acceleration

Library home page: https://files.pythonhosted.org/packages/7a/fb/b1b11ae95ffa7099ca2e60ed5945e56130cc8740208f42aa77f17e03ab3c/torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

CVE-2022-45907

Vulnerable Library - torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl

Tensors and Dynamic neural networks in Python with strong GPU acceleration

Library home page: https://files.pythonhosted.org/packages/7a/fb/b1b11ae95ffa7099ca2e60ed5945e56130cc8740208f42aa77f17e03ab3c/torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.

Publish Date: 2022-11-26

URL: CVE-2022-45907

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-45907

Release Date: 2022-11-26

Fix Resolution: torch - 1.13.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

CVE-2023-25668

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25668

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-gw97-ff7c-9v96

Release Date: 2023-03-25

Fix Resolution: 2.11.1

Step up your Open Source Security Game with Mend here

CVE-2023-25664

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a heap buffer overflow in TAvgPoolGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25664

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6hg6-5c2q-7rcr

Release Date: 2023-03-25

Fix Resolution: 2.11.1

Step up your Open Source Security Game with Mend here

CVE-2022-41900

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow 2.10.1.

Publish Date: 2022-11-18

URL: CVE-2022-41900

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvwp-h6jv-7472

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1

Step up your Open Source Security Game with Mend here

CVE-2022-41910

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. We have patched the issue in GitHub commit a65411a1d69edfb16b25907ffb8f73556ce36bb7. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.8.4, 2.9.3, and 2.10.1.

Publish Date: 2022-12-06

URL: CVE-2022-41910

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-frqp-wp83-qggv

Release Date: 2022-09-30

Fix Resolution: tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1

Step up your Open Source Security Game with Mend here

CVE-2022-41902

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. We have patched the issue in GitHub commit a65411a1d69edfb16b25907ffb8f73556ce36bb7. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.8.4, 2.9.3, and 2.10.1.

Publish Date: 2022-12-06

URL: CVE-2022-41902

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cg88-rpvp-cjv5

Release Date: 2022-09-30

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41880

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. When the BaseCandidateSamplerOp function receives a value in true_classes larger than range_max, a heap oob read occurs. We have patched the issue in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41880

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41880

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41894

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. The reference kernel of the CONV_3D_TRANSPOSE TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result. Instead of data_ptr += num_channels; it should be data_ptr += output_num_channels; as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels. An attacker can craft a model with a specific number of input channels. It is then possible to write specific values through the bias of the layer outside the bounds of the buffer. This attack only works if the reference kernel resolver is used in the interpreter. We have patched the issue in GitHub commit 72c0bdcb25305b0b36842d746cc61d72658d2941. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41894

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41894

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

WS-2022-0401

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Another instance of CVE-2022-35991, where TensorListScatter and TensorListScatterV2 crash via non scalar inputs inelement_shape, was found in eager mode and fixed.

Publish Date: 2022-11-22

URL: WS-2022-0401

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xf83-q765-xm6m

Release Date: 2022-11-22

Fix Resolution: 2.10.1

Step up your Open Source Security Game with Mend here

CVE-2023-25676

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, tf.raw_ops.ParallelConcat segfaults with a nullptr dereference when given a parameter shape with rank that is not greater than zero. A fix is available in TensorFlow 2.12.0 and 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25676

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6wfh-89q8-44jq

Release Date: 2023-03-24

Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0

Step up your Open Source Security Game with Mend here

CVE-2023-25675

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, tf.raw_ops.Bincount segfaults when given a parameter weights that is neither the same shape as parameter arr nor a length-0 tensor. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25675

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-7x4v-9gxg-9hwj

Release Date: 2023-03-24

Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0

Step up your Open Source Security Game with Mend here

CVE-2023-25674

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source machine learning platform. Versions prior to 2.12.0 and 2.11.1 have a null pointer error in RandomShuffle with XLA enabled. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25674

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf97-q72m-7579

Release Date: 2023-03-24

Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0

Step up your Open Source Security Game with Mend here

CVE-2023-25673

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a Floating Point Exception in TensorListSplit with XLA. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25673

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-647v-r7qq-24fh

Release Date: 2023-03-24

Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0

Step up your Open Source Security Game with Mend here

CVE-2023-25672

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. The function tf.raw_ops.LookupTableImportV2 cannot handle scalars in the values parameter and gives an NPE. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25672

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-94mm-g2mv-8p7r

Release Date: 2023-03-24

Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0

Step up your Open Source Security Game with Mend here

CVE-2023-25671

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. There is out-of-bounds access due to mismatched integer type sizes. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25671

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-25671

Release Date: 2023-03-25

Fix Resolution: 2.11.1

Step up your Open Source Security Game with Mend here

CVE-2023-25670

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a null point error in QuantizedMatMulWithBiasAndDequantize with MKL enabled. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25670

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-49rq-hwc3-x77w

Release Date: 2023-03-24

Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0

Step up your Open Source Security Game with Mend here

CVE-2023-25669

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the stride and window size are not positive for tf.raw_ops.AvgPoolGrad, it can give a floating point exception. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25669

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-rcf8-g8jv-vg6p

Release Date: 2023-03-24

Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0

Step up your Open Source Security Game with Mend here

CVE-2023-25667

Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, integer overflow occurs when 2^31 <= num_frames * height * width * channels < 2^32, for example Full HD screencast of at least 346 frames. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25667

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-fqm2-gh8w-gr68

Release Date: 2023-03-24

Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/6d/ad/ff3b21ebfe79a4d25b4a4f8e5cf9fd44a204adb6b33c09010f566f51027a/numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

CVE-2021-34141

Vulnerable Library - numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/6d/ad/ff3b21ebfe79a4d25b4a4f8e5cf9fd44a204adb6b33c09010f566f51027a/numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141

Publish Date: 2021-12-17

URL: CVE-2021-34141

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141

Release Date: 2021-12-17

Fix Resolution: numpy - 1.22.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - requests-2.28.1-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/ca/91/6d9b8ccacd0412c08820f72cebaa4f0c0441b5cda699c90f618b6f8a1b42/requests-2.28.1-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

CVE-2023-32681

Vulnerable Library - requests-2.28.1-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/ca/91/6d9b8ccacd0412c08820f72cebaa4f0c0441b5cda699c90f618b6f8a1b42/requests-2.28.1-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ requests-2.28.1-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuild_proxies to reattach the Proxy-Authorization header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

Publish Date: 2023-05-26

URL: CVE-2023-32681

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-j8r2-6x86-q33q

Release Date: 2023-05-26

Fix Resolution: requests -2.31.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - onnx-1.12.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Open Neural Network Exchange

Library home page: https://files.pythonhosted.org/packages/bf/c5/e8edd9bc58192ef964270e2f4600a02cd5e5d0958b81f7abe2ee0a604478/onnx-1.12.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

CVE-2022-25882

Vulnerable Library - onnx-1.12.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Open Neural Network Exchange

Library home page: https://files.pythonhosted.org/packages/bf/c5/e8edd9bc58192ef964270e2f4600a02cd5e5d0958b81f7abe2ee0a604478/onnx-1.12.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ onnx-1.12.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Versions of the package onnx before 1.13.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory, for example "../../../etc/passwd"

Publish Date: 2023-01-26

URL: CVE-2022-25882

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-25882

Release Date: 2023-01-26

Fix Resolution: 1.13.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - nltk-3.7-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/43/0b/8298798bc5a9a007b7cae3f846a3d9a325953e0f9c238affa478b4d59324/nltk-3.7-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

WS-2022-0437

Vulnerable Library - nltk-3.7-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/43/0b/8298798bc5a9a007b7cae3f846a3d9a325953e0f9c238affa478b4d59324/nltk-3.7-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ nltk-3.7-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

In nltk/nltk, a reflected XSS can be achieved by simply creating a URL, which leads to browser hijacking, and sensitive information loss.

Publish Date: 2022-12-23

URL: WS-2022-0437

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/861a8d11-0fe9-4c2f-9112-af3a9559fa87/

Release Date: 2022-12-23

Fix Resolution: 3.8.1

Step up your Open Source Security Game with Mend here

WS-2022-0438

Vulnerable Library - nltk-3.7-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/43/0b/8298798bc5a9a007b7cae3f846a3d9a325953e0f9c238affa478b4d59324/nltk-3.7-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ nltk-3.7-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

In nltk prior to 3.8.1, a user who visits a malicious link with wordnet browser open will execute code on system. This may lead to RCE by inducing user to visit a link.

Publish Date: 2022-12-29

URL: WS-2022-0438

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/cd3957f0-2c9c-416d-bc3a-190a5b7ce4a6/

Release Date: 2022-12-29

Fix Resolution: 3.8.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - pip-22.3.1-py3-none-any.whl

The PyPA recommended tool for installing Python packages.

Library home page: https://files.pythonhosted.org/packages/09/bd/2410905c76ee14c62baf69e3f4aa780226c1bbfc9485731ad018e35b0cb5/pip-22.3.1-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

CVE-2023-5752

Vulnerable Library - pip-22.3.1-py3-none-any.whl

The PyPA recommended tool for installing Python packages.

Library home page: https://files.pythonhosted.org/packages/09/bd/2410905c76ee14c62baf69e3f4aa780226c1bbfc9485731ad018e35b0cb5/pip-22.3.1-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ pip-22.3.1-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone"
call (ie "--config"). Controlling the Mercurial configuration can modify
how and which repository is installed. This vulnerability does not
affect users who aren't installing from Mercurial.

Publish Date: 2023-10-25

URL: CVE-2023-5752

CVSS 3 Score Details (3.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-5752

Release Date: 2023-10-25

Fix Resolution: 23.3

Step up your Open Source Security Game with Mend here

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

CVE-2023-38673

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

PaddlePaddle before 2.5.0 has a command injection in fs.py. This resulted in the ability to execute arbitrary commands on the operating system.

Publish Date: 2023-07-26

URL: CVE-2023-38673

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2023-07-26

Fix Resolution: 2.5.0

Step up your Open Source Security Game with Mend here

CVE-2023-38671

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Heap buffer overflow in paddle.trace in PaddlePaddle before 2.5.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible.

Publish Date: 2023-07-26

URL: CVE-2023-38671

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2023-07-26

Fix Resolution: 2.5.0

Step up your Open Source Security Game with Mend here

CVE-2023-38669

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Use after free in paddle.diagonal in PaddlePaddle before 2.5.0. This resulted in a potentially exploitable condition.

Publish Date: 2023-07-26

URL: CVE-2023-38669

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2023-07-26

Fix Resolution: 2.5.0

Step up your Open Source Security Game with Mend here

CVE-2022-45908

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vulnerable to code injection because it calls eval on a user-supplied winstr. This may lead to arbitrary code execution.

Publish Date: 2022-11-26

URL: CVE-2022-45908

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-45908

Release Date: 2022-11-26

Fix Resolution: 2.4.0

Step up your Open Source Security Game with Mend here

CVE-2023-52314

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

PaddlePaddle before 2.6.0 has a command injection in convert_shape_compare. This resulted in the ability to execute arbitrary commands on the operating system.

Publish Date: 2024-01-03

URL: CVE-2023-52314

CVSS 3 Score Details (9.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52314

Release Date: 2024-01-03

Fix Resolution: 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2023-52311

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

PaddlePaddle before 2.6.0 has a command injection in _wget_download. This resulted in the ability to execute arbitrary commands on the operating system.

Publish Date: 2024-01-03

URL: CVE-2023-52311

CVSS 3 Score Details (9.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52311

Release Date: 2024-01-03

Fix Resolution: 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2023-52310

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

PaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval. This resulted in the ability to execute arbitrary commands on the operating system.

Publish Date: 2024-01-03

URL: CVE-2023-52310

CVSS 3 Score Details (9.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52310

Release Date: 2024-01-03

Fix Resolution: 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2024-0917

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

remote code execution in paddlepaddle/paddle 2.6.0

Publish Date: 2024-03-07

URL: CVE-2024-0917

CVSS 3 Score Details (9.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Step up your Open Source Security Game with Mend here

CVE-2024-0817

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Command injection in IrGraph.draw in paddlepaddle/paddle 2.6.0

Publish Date: 2024-03-07

URL: CVE-2024-0817

CVSS 3 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Step up your Open Source Security Game with Mend here

CVE-2024-0815

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Command injection in paddle.utils.download._wget_download (bypass filter) in paddlepaddle/paddle 2.6.0

Publish Date: 2024-03-07

URL: CVE-2024-0815

CVSS 3 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Step up your Open Source Security Game with Mend here

CVE-2024-0818

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Arbitrary File Overwrite Via Path Traversal in paddlepaddle/paddle before 2.6

Publish Date: 2024-03-07

URL: CVE-2024-0818

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.com/bounties/85b06a1b-ac0b-4096-a06d-330891570cd9/

Release Date: 2024-03-07

Fix Resolution: 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2022-46741

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Out-of-bounds read in gather_tree in PaddlePaddle before 2.4.

Publish Date: 2022-12-07

URL: CVE-2022-46741

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-2hvc-hwg3-hpvw

Release Date: 2022-12-07

Fix Resolution: 2.4.0

Step up your Open Source Security Game with Mend here

CVE-2023-52309

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Heap buffer overflow in paddle.repeat_interleave in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible.

Publish Date: 2024-01-03

URL: CVE-2023-52309

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52309

Release Date: 2024-01-03

Fix Resolution: 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2023-52307

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Stack overflow in paddle.linalg.lu_unpack in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage.

Publish Date: 2024-01-03

URL: CVE-2023-52307

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52307

Release Date: 2024-01-03

Fix Resolution: 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2023-52304

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Stack overflow in paddle.searchsorted in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage.

Publish Date: 2024-01-03

URL: CVE-2023-52304

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52303

Release Date: 2024-01-03

Fix Resolution: 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2024-0521

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Code Injection in paddlepaddle/paddle

Publish Date: 2024-01-20

URL: CVE-2024-0521

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.com/bounties/a569c64b-1e2b-4bed-a19f-47fd5a3da453/

Release Date: 2024-01-20

Fix Resolution: 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2023-38672

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

FPE in paddle.trace in PaddlePaddle before 2.5.0. This flaw can cause a runtime crash and a denial of service.

Publish Date: 2023-07-26

URL: CVE-2023-38672

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-38672

Release Date: 2023-07-26

Fix Resolution: 2.5.0

Step up your Open Source Security Game with Mend here

CVE-2023-38670

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Null pointer dereference in paddle.flip in PaddlePaddle before 2.5.0. This resulted in a runtime crash and denial of service.

Publish Date: 2023-07-26

URL: CVE-2023-38670

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2023-07-26

Fix Resolution: 2.5.0

Step up your Open Source Security Game with Mend here

CVE-2023-52313

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

FPE in paddle.argmin and paddle.argmax in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

Publish Date: 2024-01-03

URL: CVE-2023-52313

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52313

Release Date: 2024-01-03

Fix Resolution: 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2023-52312

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Nullptr dereference in paddle.crop in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

Publish Date: 2024-01-03

URL: CVE-2023-52312

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52312

Release Date: 2024-01-03

Fix Resolution: 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2023-52308

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

FPE in paddle.amin in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

Publish Date: 2024-01-03

URL: CVE-2023-52308

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52308

Release Date: 2024-01-03

Fix Resolution: 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2023-52306

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

FPE in paddle.lerp in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

Publish Date: 2024-01-03

URL: CVE-2023-52306

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52306

Release Date: 2024-01-03

Fix Resolution: 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2023-52305

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

FPE in paddle.topk in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

Publish Date: 2024-01-03

URL: CVE-2023-52305

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52305

Release Date: 2024-01-03

Fix Resolution: 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2023-52303

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Nullptr in paddle.put_along_axis in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

Publish Date: 2024-01-03

URL: CVE-2023-52303

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52303

Release Date: 2024-01-03

Fix Resolution: 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2023-52302

Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Nullptr in paddle.nextafter in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

Publish Date: 2024-01-03

URL: CVE-2023-52302

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52302

Release Date: 2024-01-03

Fix Resolution: 2.6.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - grpcio-1.50.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

HTTP/2-based RPC framework

Library home page: https://files.pythonhosted.org/packages/59/7a/90ec6306b78a6844cd1c0fdd11dc2b03b0b4607f3e034ba0660651bbd244/grpcio-1.50.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

CVE-2023-32731

Vulnerable Library - grpcio-1.50.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

HTTP/2-based RPC framework

Library home page: https://files.pythonhosted.org/packages/59/7a/90ec6306b78a6844cd1c0fdd11dc2b03b0b4607f3e034ba0660651bbd244/grpcio-1.50.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ grpcio-1.50.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  grpc/grpc#33005 grpc/grpc#33005

Publish Date: 2023-06-09

URL: CVE-2023-32731

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-32731

Release Date: 2023-06-09

Fix Resolution: grpc - 1.53.1,1.54.2, grpcio - 1.53.1,1.54.2

Step up your Open Source Security Game with Mend here

Vulnerable Library - ipython-7.34.0-py3-none-any.whl

IPython: Productive Interactive Computing

Library home page: https://files.pythonhosted.org/packages/7c/6a/1f1365f4bf9fcb349fcaa5b61edfcefa721aa13ff37c5631296b12fab8e5/ipython-7.34.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

CVE-2023-24816

Vulnerable Library - ipython-7.34.0-py3-none-any.whl

IPython: Productive Interactive Computing

Library home page: https://files.pythonhosted.org/packages/7c/6a/1f1365f4bf9fcb349fcaa5b61edfcefa721aa13ff37c5631296b12fab8e5/ipython-7.34.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ ipython-7.34.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function IPython.utils.terminal.set_term_title be called on Windows in a Python environment where ctypes is not available. The dependency on ctypes in IPython.utils._process_win32 prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool set_term_title could be called and hence introduce a vulnerability. Should an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. Users of ipython as a library are advised to upgrade. Users unable to upgrade should ensure that any calls to the IPython.utils.terminal.set_term_title function are done with trusted or filtered input.

Publish Date: 2023-02-10

URL: CVE-2023-24816

CVSS 3 Score Details (7.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-24816

Release Date: 2023-02-10

Fix Resolution: 8.10.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - Pillow-9.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c0/47/4023dab2d77ea3f687939770b06e0c191b4a5a20590f158a6e8dbb03e357/Pillow-9.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

CVE-2023-50447

Vulnerable Library - Pillow-9.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c0/47/4023dab2d77ea3f687939770b06e0c191b4a5a20590f158a6e8dbb03e357/Pillow-9.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-9.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).

Publish Date: 2024-01-19

URL: CVE-2023-50447

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2024/01/20/1

Release Date: 2024-01-19

Fix Resolution: pillow - 10.2.0

Step up your Open Source Security Game with Mend here

CVE-2023-44271

Vulnerable Library - Pillow-9.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c0/47/4023dab2d77ea3f687939770b06e0c191b4a5a20590f158a6e8dbb03e357/Pillow-9.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Pillow-9.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.

Publish Date: 2023-11-03

URL: CVE-2023-44271

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-03

Fix Resolution: Pillow - 10.0.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - mpmath-1.2.1-py3-none-any.whl

Python library for arbitrary-precision floating-point arithmetic

Library home page: https://files.pythonhosted.org/packages/d4/cf/3965bddbb4f1a61c49aacae0e78fd1fe36b5dc36c797b31f30cf07dcbbb7/mpmath-1.2.1-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

CVE-2021-29063

Vulnerable Library - mpmath-1.2.1-py3-none-any.whl

Python library for arbitrary-precision floating-point arithmetic

Library home page: https://files.pythonhosted.org/packages/d4/cf/3965bddbb4f1a61c49aacae0e78fd1fe36b5dc36c797b31f30cf07dcbbb7/mpmath-1.2.1-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ mpmath-1.2.1-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Mpmath v1.0.0 through v1.2.1 when the mpmathify function is called.
Mend Note: After conducting further research, Mend has determined that all versions of mpmath through 1.2.1 are vulnerable to CVE-2021-29063.

Publish Date: 2021-06-21

URL: CVE-2021-29063

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Step up your Open Source Security Game with Mend here

Vulnerable Library - gradio-3.4b2-py3-none-any.whl

Python library for easily interacting with trained machine learning models

Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

CVE-2023-25823

Vulnerable Library - gradio-3.4b2-py3-none-any.whl

Python library for easily interacting with trained machine learning models

Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ gradio-3.4b2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting share=True), a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. This issue is patched in version 3.13.1, however, users are recommended to update to 3.19.1 or later where the FRP solution has been properly tested.

Publish Date: 2023-02-23

URL: CVE-2023-25823

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-3x5j-9vwr-8rr5

Release Date: 2023-02-23

Fix Resolution: 3.13.1

Step up your Open Source Security Game with Mend here

CVE-2024-0964

Vulnerable Library - gradio-3.4b2-py3-none-any.whl

Python library for easily interacting with trained machine learning models

Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ gradio-3.4b2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request.

Publish Date: 2024-02-05

URL: CVE-2024-0964

CVSS 3 Score Details (9.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2024-02-05

Fix Resolution: 4.9.0

Step up your Open Source Security Game with Mend here

CVE-2023-34239

Vulnerable Library - gradio-3.4b2-py3-none-any.whl

Python library for easily interacting with trained machine learning models

Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ gradio-3.4b2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in version 3.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2023-06-08

URL: CVE-2023-34239

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-3qqg-pgqq-3695

Release Date: 2023-06-08

Fix Resolution: 3.33.0

Step up your Open Source Security Game with Mend here

CVE-2023-51449

Vulnerable Library - gradio-3.4b2-py3-none-any.whl

Python library for easily interacting with trained machine learning models

Library home page: https://files.pythonhosted.org/packages/72/63/197bb7a284a2eebeb7b978107c47e8d63abf4152a38326034e3a435f9d7e/gradio-3.4b2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ gradio-3.4b2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

Vulnerability Details

Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of gradio prior to 4.11.0 contained a vulnerability in the /file route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with share=True, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.

Publish Date: 2023-12-22

URL: CVE-2023-51449

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-51449

Release Date: 2023-12-22

Fix Resolution: 4.11.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/7a/48/7882af39221fee58e33eee6c8e516097e2331334a5937f54fe5b5b285d9e/aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

CVE-2024-23334

Vulnerable Library - aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/7a/48/7882af39221fee58e33eee6c8e516097e2331334a5937f54fe5b5b285d9e/aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.

Publish Date: 2024-01-29

URL: CVE-2024-23334

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5h86-8mv2-jq9f

Release Date: 2024-01-29

Fix Resolution: 3.9.2

Step up your Open Source Security Game with Mend here

CVE-2023-47627

Vulnerable Library - aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/7a/48/7882af39221fee58e33eee6c8e516097e2331334a5937f54fe5b5b285d9e/aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit d5c12ba89 which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.

Publish Date: 2023-11-14

URL: CVE-2023-47627

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-gfw2-4jvh-wgfg

Release Date: 2023-11-14

Fix Resolution: 3.8.6

Step up your Open Source Security Game with Mend here

CVE-2023-37276

Vulnerable Library - aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/7a/48/7882af39221fee58e33eee6c8e516097e2331334a5937f54fe5b5b285d9e/aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie aiohttp.Application), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie aiohttp.ClientSession). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using AIOHTTP_NO_EXTENSIONS=1 as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.

Publish Date: 2023-07-19

URL: CVE-2023-37276

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-45c4-8wx5-qw6w

Release Date: 2023-07-19

Fix Resolution: 3.8.5

Step up your Open Source Security Game with Mend here

CVE-2024-23829

Vulnerable Library - aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/7a/48/7882af39221fee58e33eee6c8e516097e2331334a5937f54fe5b5b285d9e/aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.

Publish Date: 2024-01-29

URL: CVE-2024-23829

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-8qpw-xqxj-h4r2

Release Date: 2024-01-29

Fix Resolution: 3.9.2

Step up your Open Source Security Game with Mend here

CVE-2023-49082

Vulnerable Library - aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/7a/48/7882af39221fee58e33eee6c8e516097e2331334a5937f54fe5b5b285d9e/aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

Publish Date: 2023-11-29

URL: CVE-2023-49082

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-qvrw-v9rv-5rjx

Release Date: 2023-11-29

Fix Resolution: 3.9.0

Step up your Open Source Security Game with Mend here

CVE-2023-49081

Vulnerable Library - aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/7a/48/7882af39221fee58e33eee6c8e516097e2331334a5937f54fe5b5b285d9e/aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ aiohttp-3.8.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.

Publish Date: 2023-11-30

URL: CVE-2023-49081

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q3qx-c6g2-7pw2

Release Date: 2023-11-30

Fix Resolution: 3.9.0

Step up your Open Source Security Game with Mend here