:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-7018
### Vulnerable Library - transformers-4.8.2-py3-none-any.whl
State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-2800
### Vulnerable Library - transformers-4.8.2-py3-none-any.whl
State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-3568
### Vulnerable Library - transformers-4.8.2-py3-none-any.whl
State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.
State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Library home page: https://files.pythonhosted.org/packages/fd/1a/41c644c963249fd7f3836d926afa1e3f1cc234a1c40d80c5f03ad8f6f1b2/transformers-4.8.2-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/Aspect-Based-Sentiment-Analysis
Path to vulnerable library: /tmp/ws-scm/Aspect-Based-Sentiment-Analysis,/.ws-temp-THFHIH-requirements.txt
Found in HEAD commit: d952432cb8d2cb53d7a0c189dc2d16fc535cdc75
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-6730
### Vulnerable Library - transformers-4.8.2-py3-none-any.whlState-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Library home page: https://files.pythonhosted.org/packages/fd/1a/41c644c963249fd7f3836d926afa1e3f1cc234a1c40d80c5f03ad8f6f1b2/transformers-4.8.2-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/Aspect-Based-Sentiment-Analysis
Path to vulnerable library: /tmp/ws-scm/Aspect-Based-Sentiment-Analysis,/.ws-temp-THFHIH-requirements.txt
Dependency Hierarchy: - :x: **transformers-4.8.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: d952432cb8d2cb53d7a0c189dc2d16fc535cdc75
Found in base branch: master
### Vulnerability DetailsDeserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
Publish Date: 2023-12-19
URL: CVE-2023-6730
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16/
Release Date: 2023-12-19
Fix Resolution: 4.36.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-7018
### Vulnerable Library - transformers-4.8.2-py3-none-any.whlState-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Library home page: https://files.pythonhosted.org/packages/fd/1a/41c644c963249fd7f3836d926afa1e3f1cc234a1c40d80c5f03ad8f6f1b2/transformers-4.8.2-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/Aspect-Based-Sentiment-Analysis
Path to vulnerable library: /tmp/ws-scm/Aspect-Based-Sentiment-Analysis,/.ws-temp-THFHIH-requirements.txt
Dependency Hierarchy: - :x: **transformers-4.8.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: d952432cb8d2cb53d7a0c189dc2d16fc535cdc75
Found in base branch: master
### Vulnerability DetailsDeserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
Publish Date: 2023-12-20
URL: CVE-2023-7018
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-7018
Release Date: 2023-12-20
Fix Resolution: 4.36.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-2800
### Vulnerable Library - transformers-4.8.2-py3-none-any.whlState-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Library home page: https://files.pythonhosted.org/packages/fd/1a/41c644c963249fd7f3836d926afa1e3f1cc234a1c40d80c5f03ad8f6f1b2/transformers-4.8.2-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/Aspect-Based-Sentiment-Analysis
Path to vulnerable library: /tmp/ws-scm/Aspect-Based-Sentiment-Analysis,/.ws-temp-THFHIH-requirements.txt
Dependency Hierarchy: - :x: **transformers-4.8.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: d952432cb8d2cb53d7a0c189dc2d16fc535cdc75
Found in base branch: master
### Vulnerability DetailsInsecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.
Publish Date: 2023-05-18
URL: CVE-2023-2800
### CVSS 3 Score Details (4.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a/
Release Date: 2023-05-18
Fix Resolution: 4.30.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-3568
### Vulnerable Library - transformers-4.8.2-py3-none-any.whlState-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Library home page: https://files.pythonhosted.org/packages/fd/1a/41c644c963249fd7f3836d926afa1e3f1cc234a1c40d80c5f03ad8f6f1b2/transformers-4.8.2-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/Aspect-Based-Sentiment-Analysis
Path to vulnerable library: /tmp/ws-scm/Aspect-Based-Sentiment-Analysis,/.ws-temp-THFHIH-requirements.txt
Dependency Hierarchy: - :x: **transformers-4.8.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: d952432cb8d2cb53d7a0c189dc2d16fc535cdc75
Found in base branch: master
### Vulnerability DetailsThe huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.
Publish Date: 2024-04-10
URL: CVE-2024-3568
### CVSS 3 Score Details (3.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-3568
Release Date: 2024-04-10
Fix Resolution: 4.38.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.