Open mend-bolt-for-github[bot] opened 1 year ago
mezidia-inspector[bot]
commented
1 year ago Nice to meet you, @mend-bolt-for-github[bot]. Thank you for creating an issue. There are some tasks for you:
To close issue send comment "close", to reopen - "reopen"
mezidia-inspector[bot]
commented
1 year ago Nice, one of tasks is done
secure-code-warrior-for-github[bot]
commented
1 year ago Code injection happens when an application insecurely accepts input that is subsequently used in a dynamic code evaluation call. If insufficient validation or sanitisation is performed on the input, specially crafted inputs may be able to alter the syntax of the evaluated code and thus alter execution. In a worst case scenario, an attacker could run arbitrary code in the server context and thus perform almost any action on the application server.
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
secure-code-warrior-for-github[bot]
commented
11 months ago In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.
A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer.
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Dereferencing pointers to objects that have already been freed opens the door to execution of arbitrary code. Attackers may be able to insert instructions at the freed memory location in order to trigger the exploit when the pointer is used after the memory has been freed.
secure-code-warrior-for-github[bot]
commented
11 months ago In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.
A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer.
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Dereferencing pointers to objects that have already been freed opens the door to execution of arbitrary code. Attackers may be able to insert instructions at the freed memory location in order to trigger the exploit when the pointer is used after the memory has been freed.
secure-code-warrior-for-github[bot]
commented
3 months ago Also referred to as Stack buffer overflows. This vulnerability occurs when data received by a program is written to a memory location on the stack and the allocated space is not large enough to take the whole input. If proper boundary checks are not implemented, or unsafe functions like sprintf, fgets etc. are used which don't require a destination size limit the stack memory after the target buffer may be written to, allowing an attacker to alter the normal behaviour of the program. Most modern compilers now have a secure switch which may reorder stack variables and generate extra code to protect against this type of vulnerability.
secure-code-warrior-for-github[bot]
commented
3 months ago Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality).
Parallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-38673
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsPaddlePaddle before 2.5.0 has a command injection in fs.py. This resulted in the ability to execute arbitrary commands on the operating system.
Publish Date: 2023-07-26
URL: CVE-2023-38673
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2023-07-26
Fix Resolution: 2.5.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-38671
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsHeap buffer overflow in paddle.trace in PaddlePaddle before 2.5.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible.
Publish Date: 2023-07-26
URL: CVE-2023-38671
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2023-07-26
Fix Resolution: 2.5.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-38669
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsUse after free in paddle.diagonal in PaddlePaddle before 2.5.0. This resulted in a potentially exploitable condition.
Publish Date: 2023-07-26
URL: CVE-2023-38669
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2023-07-26
Fix Resolution: 2.5.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-45908
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsIn PaddlePaddle before 2.4, paddle.audio.functional.get_window is vulnerable to code injection because it calls eval on a user-supplied winstr. This may lead to arbitrary code execution.
Publish Date: 2022-11-26
URL: CVE-2022-45908
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-45908
Release Date: 2022-11-26
Fix Resolution: 2.4.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-52314
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsPaddlePaddle before 2.6.0 has a command injection in convert_shape_compare. This resulted in the ability to execute arbitrary commands on the operating system.
Publish Date: 2024-01-03
URL: CVE-2023-52314
### CVSS 3 Score Details (9.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52314
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-52311
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsPaddlePaddle before 2.6.0 has a command injection in _wget_download. This resulted in the ability to execute arbitrary commands on the operating system.
Publish Date: 2024-01-03
URL: CVE-2023-52311
### CVSS 3 Score Details (9.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52311
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-52310
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsPaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval. This resulted in the ability to execute arbitrary commands on the operating system.
Publish Date: 2024-01-03
URL: CVE-2023-52310
### CVSS 3 Score Details (9.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52310
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-0917
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability Detailsremote code execution in paddlepaddle/paddle 2.6.0
Publish Date: 2024-03-07
URL: CVE-2024-0917
### CVSS 3 Score Details (9.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-0817
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsCommand injection in IrGraph.draw in paddlepaddle/paddle 2.6.0
Publish Date: 2024-03-07
URL: CVE-2024-0817
### CVSS 3 Score Details (9.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-0815
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsCommand injection in paddle.utils.download._wget_download (bypass filter) in paddlepaddle/paddle 2.6.0
Publish Date: 2024-03-07
URL: CVE-2024-0815
### CVSS 3 Score Details (9.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-0818
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsArbitrary File Overwrite Via Path Traversal in paddlepaddle/paddle before 2.6
Publish Date: 2024-03-07
URL: CVE-2024-0818
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.com/bounties/85b06a1b-ac0b-4096-a06d-330891570cd9/
Release Date: 2024-03-07
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-46741
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsOut-of-bounds read in gather_tree in PaddlePaddle before 2.4.
Publish Date: 2022-12-07
URL: CVE-2022-46741
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-2hvc-hwg3-hpvw
Release Date: 2022-12-07
Fix Resolution: 2.4.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-1603
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability Detailspaddlepaddle/paddle 2.6.0 allows arbitrary file read via paddle.vision.ops.read_file.
Publish Date: 2024-03-23
URL: CVE-2024-1603
### CVSS 3 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-52309
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsHeap buffer overflow in paddle.repeat_interleave in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible.
Publish Date: 2024-01-03
URL: CVE-2023-52309
### CVSS 3 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52309
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-52307
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsStack overflow in paddle.linalg.lu_unpack in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage.
Publish Date: 2024-01-03
URL: CVE-2023-52307
### CVSS 3 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52307
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-52304
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsStack overflow in paddle.searchsorted in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage.
Publish Date: 2024-01-03
URL: CVE-2023-52304
### CVSS 3 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52303
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-0521
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsCode Injection in paddlepaddle/paddle
Publish Date: 2024-01-20
URL: CVE-2024-0521
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.com/bounties/a569c64b-1e2b-4bed-a19f-47fd5a3da453/
Release Date: 2024-01-20
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-38672
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsFPE in paddle.trace in PaddlePaddle before 2.5.0. This flaw can cause a runtime crash and a denial of service.
Publish Date: 2023-07-26
URL: CVE-2023-38672
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-38672
Release Date: 2023-07-26
Fix Resolution: 2.5.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-38670
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsNull pointer dereference in paddle.flip in PaddlePaddle before 2.5.0. This resulted in a runtime crash and denial of service.
Publish Date: 2023-07-26
URL: CVE-2023-38670
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2023-07-26
Fix Resolution: 2.5.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-52313
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsFPE in paddle.argmin and paddle.argmax in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
Publish Date: 2024-01-03
URL: CVE-2023-52313
### CVSS 3 Score Details (4.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52313
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-52312
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsNullptr dereference in paddle.crop in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
Publish Date: 2024-01-03
URL: CVE-2023-52312
### CVSS 3 Score Details (4.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52312
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-52308
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsFPE in paddle.amin in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
Publish Date: 2024-01-03
URL: CVE-2023-52308
### CVSS 3 Score Details (4.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52308
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-52306
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsFPE in paddle.lerp in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
Publish Date: 2024-01-03
URL: CVE-2023-52306
### CVSS 3 Score Details (4.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52306
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-52305
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsFPE in paddle.topk in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
Publish Date: 2024-01-03
URL: CVE-2023-52305
### CVSS 3 Score Details (4.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52305
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-52303
### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whlParallel Distributed Deep Learning
Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsNullptr in paddle.put_along_axis in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
Publish Date: 2024-01-03
URL: CVE-2023-52303
### CVSS 3 Score Details (4.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52303
Release Date: 2024-01-03
Fix Resolution: 2.6.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)