search

AdamOswald / finetuned_diffusion

0 stars 0 forks source link

transformers-4.26.1-py3-none-any.whl: 4 vulnerabilities (highest severity is: 8.8) #10

Open mend-bolt-for-github[bot] opened 8 months ago

mend-bolt-for-github[bot] commented 8 months ago
Vulnerable Library - transformers-4.26.1-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/1e/e2/60c3f4691b16d126ee9cfe28f598b13c424b60350ab339aba81aef054b8f/transformers-4.26.1-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: c10d867070bd480fefc55e8b61666f58cb3fcfdc

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (transformers version) Remediation Possible**
CVE-2023-6730 High 8.8 transformers-4.26.1-py3-none-any.whl Direct 4.36.0
CVE-2023-7018 High 7.8 transformers-4.26.1-py3-none-any.whl Direct 4.36.0
CVE-2023-2800 Medium 4.7 transformers-4.26.1-py3-none-any.whl Direct 4.30.1
CVE-2024-3568 Low 3.4 transformers-4.26.1-py3-none-any.whl Direct 4.38.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-6730 ### Vulnerable Library - transformers-4.26.1-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/1e/e2/60c3f4691b16d126ee9cfe28f598b13c424b60350ab339aba81aef054b8f/transformers-4.26.1-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **transformers-4.26.1-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: c10d867070bd480fefc55e8b61666f58cb3fcfdc

Found in base branch: main

### Vulnerability Details

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Publish Date: 2023-12-19

URL: CVE-2023-6730

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16/

Release Date: 2023-12-19

Fix Resolution: 4.36.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-7018 ### Vulnerable Library - transformers-4.26.1-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/1e/e2/60c3f4691b16d126ee9cfe28f598b13c424b60350ab339aba81aef054b8f/transformers-4.26.1-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **transformers-4.26.1-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: c10d867070bd480fefc55e8b61666f58cb3fcfdc

Found in base branch: main

### Vulnerability Details

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Publish Date: 2023-12-20

URL: CVE-2023-7018

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-7018

Release Date: 2023-12-20

Fix Resolution: 4.36.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-2800 ### Vulnerable Library - transformers-4.26.1-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/1e/e2/60c3f4691b16d126ee9cfe28f598b13c424b60350ab339aba81aef054b8f/transformers-4.26.1-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **transformers-4.26.1-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: c10d867070bd480fefc55e8b61666f58cb3fcfdc

Found in base branch: main

### Vulnerability Details

Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.

Publish Date: 2023-05-18

URL: CVE-2023-2800

### CVSS 3 Score Details (4.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a/

Release Date: 2023-05-18

Fix Resolution: 4.30.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-3568 ### Vulnerable Library - transformers-4.26.1-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/1e/e2/60c3f4691b16d126ee9cfe28f598b13c424b60350ab339aba81aef054b8f/transformers-4.26.1-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **transformers-4.26.1-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: c10d867070bd480fefc55e8b61666f58cb3fcfdc

Found in base branch: main

### Vulnerability Details

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.

Publish Date: 2024-04-10

URL: CVE-2024-3568

### CVSS 3 Score Details (3.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-3568

Release Date: 2024-04-10

Fix Resolution: 4.38.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
secure-code-warrior-for-github[bot] commented 8 months ago

Micro-Learning Topic: Vulnerable library (Detected by phrase)

Matched on "Vulnerable Library"

What is this? (2min video)

Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.

Try a challenge in Secure Code Warrior

secure-code-warrior-for-github[bot] commented 8 months ago

Micro-Learning Topic: Deserialization of untrusted data (Detected by phrase)

Matched on "Deserialization of Untrusted Data"

What is this? (2min video)

It is often convenient to serialize objects for communication or to save them for later use. However, serialized data or code can be modified. This malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized. This is usually done with "gadget chains

Try a challenge in Secure Code Warrior

Helpful references