search

BrentWJacobs / Huggingface-Space

0 stars 0 forks source link

paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl: 7 vulnerabilities (highest severity is: 9.8) - autoclosed #8

Closed mend-bolt-for-github[bot] closed 11 months ago

mend-bolt-for-github[bot] commented 1 year ago
Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: b3c4d3a4ce2a8c63dd5db6be463427d89ea56c77

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (paddlepaddle version) Remediation Possible**
CVE-2023-38671 Critical 9.8 paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl Direct 2.5.0
CVE-2023-38673 Critical 9.8 paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl Direct 2.5.0
CVE-2023-38669 Critical 9.8 paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl Direct 2.5.0
CVE-2022-45908 Critical 9.8 paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl Direct 2.4.0
CVE-2022-46741 Critical 9.1 paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl Direct 2.4.0
CVE-2023-38672 High 7.5 paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl Direct 2.5.0
CVE-2023-38670 High 7.5 paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl Direct 2.5.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-38671 ### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: b3c4d3a4ce2a8c63dd5db6be463427d89ea56c77

Found in base branch: main

### Vulnerability Details

Heap buffer overflow in paddle.trace in PaddlePaddle before 2.5.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible.

Publish Date: 2023-07-26

URL: CVE-2023-38671

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-07-26

Fix Resolution: 2.5.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-38673 ### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: b3c4d3a4ce2a8c63dd5db6be463427d89ea56c77

Found in base branch: main

### Vulnerability Details

PaddlePaddle before 2.5.0 has a command injection in fs.py. This resulted in the ability to execute arbitrary commands on the operating system.

Publish Date: 2023-07-26

URL: CVE-2023-38673

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-07-26

Fix Resolution: 2.5.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-38669 ### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: b3c4d3a4ce2a8c63dd5db6be463427d89ea56c77

Found in base branch: main

### Vulnerability Details

Use after free in paddle.diagonal in PaddlePaddle before 2.5.0. This resulted in a potentially exploitable condition.

Publish Date: 2023-07-26

URL: CVE-2023-38669

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-07-26

Fix Resolution: 2.5.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-45908 ### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: b3c4d3a4ce2a8c63dd5db6be463427d89ea56c77

Found in base branch: main

### Vulnerability Details

In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vulnerable to code injection because it calls eval on a user-supplied winstr. This may lead to arbitrary code execution.

Publish Date: 2022-11-26

URL: CVE-2022-45908

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-45908

Release Date: 2022-11-26

Fix Resolution: 2.4.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-46741 ### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: b3c4d3a4ce2a8c63dd5db6be463427d89ea56c77

Found in base branch: main

### Vulnerability Details

Out-of-bounds read in gather_tree in PaddlePaddle before 2.4.

Publish Date: 2022-12-07

URL: CVE-2022-46741

### CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-2hvc-hwg3-hpvw

Release Date: 2022-12-07

Fix Resolution: 2.4.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-38672 ### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: b3c4d3a4ce2a8c63dd5db6be463427d89ea56c77

Found in base branch: main

### Vulnerability Details

FPE in paddle.trace in PaddlePaddle before 2.5.0. This flaw can cause a runtime crash and a denial of service.

Publish Date: 2023-07-26

URL: CVE-2023-38672

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-38672

Release Date: 2023-07-26

Fix Resolution: 2.5.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-38670 ### Vulnerable Library - paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Parallel Distributed Deep Learning

Library home page: https://files.pythonhosted.org/packages/35/ae/bb0e011f11c026856c643ac3fe023346cc42b702fa201b2044eb8f906dfa/paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **paddlepaddle-2.3.2-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: b3c4d3a4ce2a8c63dd5db6be463427d89ea56c77

Found in base branch: main

### Vulnerability Details

Null pointer dereference in paddle.flip in PaddlePaddle before 2.5.0. This resulted in a runtime crash and denial of service.

Publish Date: 2023-07-26

URL: CVE-2023-38670

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-07-26

Fix Resolution: 2.5.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 11 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.