Path to dependency file: /models/training-tuning-scripts/log-parsing-models/requirements.txt
Path to vulnerable library: /models/training-tuning-scripts/log-parsing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/validation-inference-scripts/log-parsing-models/requirements.txt
Path to dependency file: /models/training-tuning-scripts/log-parsing-models/requirements.txt
Path to vulnerable library: /models/training-tuning-scripts/log-parsing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/validation-inference-scripts/log-parsing-models/requirements.txt
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-7018
### Vulnerable Library - transformers-4.22.2-py3-none-any.whl
State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Path to dependency file: /models/training-tuning-scripts/log-parsing-models/requirements.txt
Path to vulnerable library: /models/training-tuning-scripts/log-parsing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/validation-inference-scripts/log-parsing-models/requirements.txt
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-2800
### Vulnerable Library - transformers-4.22.2-py3-none-any.whl
State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Path to dependency file: /models/training-tuning-scripts/log-parsing-models/requirements.txt
Path to vulnerable library: /models/training-tuning-scripts/log-parsing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/validation-inference-scripts/log-parsing-models/requirements.txt
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-3568
### Vulnerable Library - transformers-4.22.2-py3-none-any.whl
State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Path to dependency file: /models/training-tuning-scripts/log-parsing-models/requirements.txt
Path to vulnerable library: /models/training-tuning-scripts/log-parsing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/validation-inference-scripts/log-parsing-models/requirements.txt
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.
State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Library home page: https://files.pythonhosted.org/packages/b1/7a/60a226cb857bb7e4c3c8ceaf7035b6618e5cec8056426fbd0a914a70f2b1/transformers-4.22.2-py3-none-any.whl
Path to dependency file: /models/training-tuning-scripts/log-parsing-models/requirements.txt
Path to vulnerable library: /models/training-tuning-scripts/log-parsing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/validation-inference-scripts/log-parsing-models/requirements.txt
Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-6730
### Vulnerable Library - transformers-4.22.2-py3-none-any.whlState-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Library home page: https://files.pythonhosted.org/packages/b1/7a/60a226cb857bb7e4c3c8ceaf7035b6618e5cec8056426fbd0a914a70f2b1/transformers-4.22.2-py3-none-any.whl
Path to dependency file: /models/training-tuning-scripts/log-parsing-models/requirements.txt
Path to vulnerable library: /models/training-tuning-scripts/log-parsing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/validation-inference-scripts/log-parsing-models/requirements.txt
Dependency Hierarchy: - :x: **transformers-4.22.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad
Found in base branch: branch-23.03
### Vulnerability DetailsDeserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
Publish Date: 2023-12-19
URL: CVE-2023-6730
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16/
Release Date: 2023-12-19
Fix Resolution: 4.36.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-7018
### Vulnerable Library - transformers-4.22.2-py3-none-any.whlState-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Library home page: https://files.pythonhosted.org/packages/b1/7a/60a226cb857bb7e4c3c8ceaf7035b6618e5cec8056426fbd0a914a70f2b1/transformers-4.22.2-py3-none-any.whl
Path to dependency file: /models/training-tuning-scripts/log-parsing-models/requirements.txt
Path to vulnerable library: /models/training-tuning-scripts/log-parsing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/validation-inference-scripts/log-parsing-models/requirements.txt
Dependency Hierarchy: - :x: **transformers-4.22.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad
Found in base branch: branch-23.03
### Vulnerability DetailsDeserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
Publish Date: 2023-12-20
URL: CVE-2023-7018
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-7018
Release Date: 2023-12-20
Fix Resolution: 4.36.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-2800
### Vulnerable Library - transformers-4.22.2-py3-none-any.whlState-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Library home page: https://files.pythonhosted.org/packages/b1/7a/60a226cb857bb7e4c3c8ceaf7035b6618e5cec8056426fbd0a914a70f2b1/transformers-4.22.2-py3-none-any.whl
Path to dependency file: /models/training-tuning-scripts/log-parsing-models/requirements.txt
Path to vulnerable library: /models/training-tuning-scripts/log-parsing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/validation-inference-scripts/log-parsing-models/requirements.txt
Dependency Hierarchy: - :x: **transformers-4.22.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad
Found in base branch: branch-23.03
### Vulnerability DetailsInsecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.
Publish Date: 2023-05-18
URL: CVE-2023-2800
### CVSS 3 Score Details (4.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a/
Release Date: 2023-05-18
Fix Resolution: 4.30.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-3568
### Vulnerable Library - transformers-4.22.2-py3-none-any.whlState-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Library home page: https://files.pythonhosted.org/packages/b1/7a/60a226cb857bb7e4c3c8ceaf7035b6618e5cec8056426fbd0a914a70f2b1/transformers-4.22.2-py3-none-any.whl
Path to dependency file: /models/training-tuning-scripts/log-parsing-models/requirements.txt
Path to vulnerable library: /models/training-tuning-scripts/log-parsing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/validation-inference-scripts/log-parsing-models/requirements.txt
Dependency Hierarchy: - :x: **transformers-4.22.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad
Found in base branch: branch-23.03
### Vulnerability DetailsThe huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.
Publish Date: 2024-04-10
URL: CVE-2024-3568
### CVSS 3 Score Details (3.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-3568
Release Date: 2024-04-10
Fix Resolution: 4.38.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)