- ๐ญ Iโm The Tech Guy :)
- ๐ฑ Always learning ...
- ๐ฌ Feel free to ask me anything!
- ๐ซ To reach me check my contact info at smb-h.com
smb-h / ai-lab Goto Github PK
View Code? Open in Web Editor NEWPersonal lab
License: MIT License
Personal lab
License: MIT License
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.TensorSummaryV2
does not fully validate the input arguments. This results in a CHECK
-failure which can be used to trigger a denial of service attack. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29193
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29193
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
Natural Language Toolkit
Library home page: https://files.pythonhosted.org/packages/50/09/3b1755d528ad9156ee7243d52aa5cd2b809ef053a0f31b53d92853dd653a/nltk-3.3.0.zip
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 11224a09bd2416657d465ed77014523b84b35867
Found in base branch: main
nltk is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-27
URL: CVE-2021-3828
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3828
Release Date: 2021-09-27
Fix Resolution: nltk - 3.6.4;nltk - 3.6.4
Step up your Open Source Security Game with WhiteSource here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, there is a potential for segfault / denial of service in TensorFlow by calling tf.compat.v1.*
ops which don't yet have support for quantized types, which was added after migration to TensorFlow 2.x. In these scenarios, since the kernel is missing, a nullptr
value is passed to ParseDimensionValue
for the py_value
argument. Then, this is dereferenced, resulting in segfault. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29205
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29205
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.EditDistance
has incomplete validation. Users can pass negative values to cause a segmentation fault based denial of service. In multiple places throughout the code, one may compute an index for a write operation. However, the existing validation only checks against the upper bound of the array. Hence, it is possible to write before the array by massaging the input to generate negative values for loc
. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29208
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29208
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/1e/73/51137805d1b8d97367a8a77cae4a792af14bb7ce58fbd071af294c740cf0/Werkzeug-2.0.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body.
Publish Date: 2022-05-25
URL: CVE-2022-29361
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29361
Release Date: 2022-05-25
Fix Resolution: Werkzeug - 2.1.1
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.QuantizedConv2D
does not fully validate the input arguments. In this case, references get bound to nullptr
for each argument that is empty. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29201
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29201
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.Conv3DBackpropFilterV2
does not fully validate the input arguments. This results in a CHECK
-failure which can be used to trigger a denial of service attack. The code does not validate that the filter_sizes
argument is a vector. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29196
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29196
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
Python Imaging Library (Fork)
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: main
A flaw was found in python-pillow. The vulnerability occurs due to the not validated remove operation, leading to Improper input validation. This flaw allows an attacker to externally-influenced input commands that modify or remove the intended command.
Publish Date: 2022-02-02
URL: CVE-2022-24303
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9j59-75qj-795w
Release Date: 2022-02-02
Fix Resolution: Pillow - 9.0.1
Step up your Open Source Security Game with WhiteSource here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.SparseTensorDenseAdd
does not fully validate the input arguments. In this case, a reference gets bound to a nullptr
during kernel execution. This is undefined behavior. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29206
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29206
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the macros that TensorFlow uses for writing assertions (e.g., CHECK_LT
, CHECK_GT
, etc.) have an incorrect logic when comparing size_t
and int
values. Due to type conversion rules, several of the macros would trigger incorrectly. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-21
URL: CVE-2022-29209
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29209
Release Date: 2022-05-21
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.SpaceToBatchND
(in all backends such as XLA and handwritten kernels) is vulnerable to an integer overflow: The result of this integer overflow is used to allocate the output tensor, hence we get a denial of service via a CHECK
-failure (assertion failure), as in TFSA-2021-198. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29203
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29203
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.UnsortedSegmentJoin
does not fully validate the input arguments. This results in a CHECK
-failure which can be used to trigger a denial of service attack. The code assumes num_segments
is a scalar but there is no validation for this before accessing its value. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29197
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29197
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the tf.compat.v1.signal.rfft2d
and tf.compat.v1.signal.rfft3d
lack input validation and under certain condition can result in crashes (due to CHECK
-failures). Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-21
URL: CVE-2022-29213
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29213
Release Date: 2022-05-21
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, TensorFlow's saved_model_cli
tool is vulnerable to a code injection. This can be used to open a reverse shell. This code path was maintained for compatibility reasons as the maintainers had several test cases where numpy expressions were used as arguments. However, given that the tool is always run manually, the impact of this is still not severe. The maintainers have now removed the safe=False
argument, so all parsing is done without calling eval
. The patch is available in versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4.
Publish Date: 2022-05-21
URL: CVE-2022-29216
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29216
Release Date: 2022-05-21
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.DeleteSessionTensor
does not fully validate the input arguments. This results in a CHECK
-failure which can be used to trigger a denial of service attack. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29194
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29194
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.StagePeek
does not fully validate the input arguments. This results in a CHECK
-failure which can be used to trigger a denial of service attack. The code assumes index
is a scalar but there is no validation for this before accessing its value. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29195
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29195
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.SparseTensorToCSRSparseMatrix
does not fully validate the input arguments. This results in a CHECK
-failure which can be used to trigger a denial of service attack. The code assumes dense_shape
is a vector and indices
is a matrix (as part of requirements for sparse tensors) but there is no validation for this. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29198
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29198
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 the implementation of depthwise ops in TensorFlow is vulnerable to a denial of service via CHECK-failure (assertion failure) caused by overflowing the number of elements in a tensor
Publish Date: 2022-05-25
URL: WS-2022-0137
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-mw6j-hh29-h379
Release Date: 2022-05-25
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.UnsortedSegmentJoin
does not fully validate the input arguments. This results in a CHECK
-failure which can be used to trigger a denial of service attack. The code assumes num_segments
is a positive scalar but there is no validation. Since this value is used to allocate the output tensor, a negative value would result in a CHECK
-failure (assertion failure), as per TFSA-2021-198. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29204
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29204
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
NumPy is the fundamental package for array computing with Python.
Library home page: https://files.pythonhosted.org/packages/08/d6/a6aaa29fea945bc6c61d11f6e0697b325ff7446de5ffd62c2fa02f627048/numpy-1.19.5-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
** DISPUTED ** A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service. NOTE: The vendor does not agree this is a vulneraility; In (very limited) circumstances a user may be able provoke the buffer overflow, the user is most likely already privileged to at least provoke denial of service by exhausting memory. Triggering this further requires the use of uncommon API (complicated structured dtypes), which is very unlikely to be available to an unprivileged user.
Publish Date: 2021-12-17
URL: CVE-2021-33430
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-33430
Release Date: 2021-12-17
Fix Resolution: numpy - 1.21.0
Step up your Open Source Security Game with WhiteSource here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, certain TFLite models that were created using TFLite model converter would crash when loaded in the TFLite interpreter. The culprit is that during quantization the scale of values could be greater than 1 but code was always assuming sub-unit scaling. Thus, since code was calling QuantizeMultiplierSmallerThanOneExp
, the TFLITE_CHECK_LT
assertion would trigger and abort the process. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-21
URL: CVE-2022-29212
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29212
Release Date: 2022-05-21
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.LSTMBlockCell
does not fully validate the input arguments. This results in a CHECK
-failure which can be used to trigger a denial of service attack. The code does not validate the ranks of any of the arguments to this API call. This results in CHECK
-failures when the elements of the tensor are accessed. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29200
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29200
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
NumPy is the fundamental package for array computing with Python.
Library home page: https://files.pythonhosted.org/packages/08/d6/a6aaa29fea945bc6c61d11f6e0697b325ff7446de5ffd62c2fa02f627048/numpy-1.19.5-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
** DISPUTED ** Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy < 1.19, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative values. NOTE: The vendor does not agree this is a vulnerability; the negative dimensions can only be created by an already privileged user (or internally).
Publish Date: 2021-12-17
URL: CVE-2021-41496
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-41496
Release Date: 2021-12-17
Fix Resolution: autovizwidget - 0.12.7;numpy - 1.22.0rc1;numcodecs - 0.6.2;numpy-base - 1.11.3;numpy - 1.17.4
Step up your Open Source Security Game with WhiteSource here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.histogram_fixed_width
is vulnerable to a crash when the values array contain Not a Number
(NaN
) elements. The implementation assumes that all floating point operations are defined and then converts a floating point result to an integer index. If values
contains NaN
then the result of the division is still NaN
and the cast to int32
would result in a crash. This only occurs on the CPU implementation. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-21
URL: CVE-2022-29211
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29211
Release Date: 2022-05-21
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
Python Imaging Library (Fork)
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
CVE | Severity | CVSS | Dependency | Type | Fixed in (Pillow version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-45198 | High | 7.5 | Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | Pillow - 9.2.0 | โ |
CVE-2022-45199 | High | 7.5 | Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | Pillow - 9.3.0 | โ |
Python Imaging Library (Fork)
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).
Publish Date: 2022-11-14
URL: CVE-2022-45198
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-11-14
Fix Resolution: Pillow - 9.2.0
Step up your Open Source Security Game with Mend here
Python Imaging Library (Fork)
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.
Publish Date: 2022-11-14
URL: CVE-2022-45199
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-11-14
Fix Resolution: Pillow - 9.3.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.GetSessionTensor
does not fully validate the input arguments. This results in a CHECK
-failure which can be used to trigger a denial of service attack. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29191
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29191
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
Jupyter core package. A base package on which Jupyter projects rely.
Library home page: https://files.pythonhosted.org/packages/66/5f/32ee101e07d5ece26876f13526b16179525e19f4e460f8085e9ef8e54cff/jupyter_core-4.11.1-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
CVE | Severity | CVSS | Dependency | Type | Fixed in (jupyter_core version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-39286 | High | 8.8 | jupyter_core-4.11.1-py3-none-any.whl | Direct | jupyter-core - 4.11.2 | โ |
Jupyter core package. A base package on which Jupyter projects rely.
Library home page: https://files.pythonhosted.org/packages/66/5f/32ee101e07d5ece26876f13526b16179525e19f4e460f8085e9ef8e54cff/jupyter_core-4.11.1-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in jupyter_core
that stems from jupyter_core
executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.
Publish Date: 2022-10-26
URL: CVE-2022-39286
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3363
Release Date: 2022-10-26
Fix Resolution: jupyter-core - 4.11.2
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.ragged.constant
does not fully validate the input arguments. This results in a denial of service by consuming all available memory. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29202
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29202
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
Lightweight pipelining with Python functions
Library home page: https://files.pythonhosted.org/packages/3e/d5/0163eb0cfa0b673aa4fe1cd3ea9d8a81ea0f32e50807b0c295871e4aab2e/joblib-1.1.0-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in base branch: main
The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
Publish Date: 2022-09-26
URL: CVE-2022-21797
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Python Imaging Library (Fork)
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: fd970bf4a27de3bf5a37f62ccd54c0cb50cb631a
Found in base branch: main
libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files.
Publish Date: 2022-05-25
URL: CVE-2022-30595
Base Score Metrics:
Type: Upgrade version
Origin: https://pillow.readthedocs.io/en/stable/releasenotes/9.1.1.html
Release Date: 2022-05-25
Fix Resolution: Pillow - 9.1.1
Step up your Open Source Security Game with Mend here
Natural Language Toolkit
Library home page: https://files.pythonhosted.org/packages/50/09/3b1755d528ad9156ee7243d52aa5cd2b809ef053a0f31b53d92853dd653a/nltk-3.3.0.zip
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 11224a09bd2416657d465ed77014523b84b35867
Found in base branch: main
nltk is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2022-01-04
URL: CVE-2021-3842
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-f8m6-h2c7-8h9x
Release Date: 2022-01-04
Fix Resolution: nltk - 3.6.6
Step up your Open Source Security Game with WhiteSource here
Natural Language Toolkit
Library home page: https://files.pythonhosted.org/packages/50/09/3b1755d528ad9156ee7243d52aa5cd2b809ef053a0f31b53d92853dd653a/nltk-3.3.0.zip
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 11224a09bd2416657d465ed77014523b84b35867
Found in base branch: main
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.
Publish Date: 2021-12-23
URL: CVE-2021-43854
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43854
Release Date: 2021-12-23
Fix Resolution: nltk - 3.6.6
Step up your Open Source Security Game with WhiteSource here
NumPy is the fundamental package for array computing with Python.
Library home page: https://files.pythonhosted.org/packages/08/d6/a6aaa29fea945bc6c61d11f6e0697b325ff7446de5ffd62c2fa02f627048/numpy-1.19.5-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
WhiteSource Note: After conducting further research, WhiteSource has determined that versions 1.12.0 through 1.21.5 of numpy are vulnerable to CVE-2021-34141
Publish Date: 2021-12-17
URL: CVE-2021-34141
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-34141
Release Date: 2021-12-17
Fix Resolution: numpy - 1.22.0rc1,1.12.0b1;numpy-base - 1.16.2;numpy - 1.13.2,1.17.4;albatradis - 1.0.1
Step up your Open Source Security Game with WhiteSource here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.QuantizeAndDequantizeV4Grad
does not fully validate the input arguments. This results in a CHECK
-failure which can be used to trigger a denial of service attack. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29192
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29192
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.LoadAndRemapMatrix does not fully validate the input arguments. This results in a
CHECK-failure which can be used to trigger a denial of service attack. The code assumes
initializing_values` is a vector but there is no validation for this before accessing its value. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29199
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29199
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
Natural Language Toolkit
Library home page: https://files.pythonhosted.org/packages/50/09/3b1755d528ad9156ee7243d52aa5cd2b809ef053a0f31b53d92853dd653a/nltk-3.3.0.zip
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 11224a09bd2416657d465ed77014523b84b35867
Found in base branch: main
NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.
Publish Date: 2019-08-22
URL: CVE-2019-14751
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/nltk/nltk/blob/3.4.5/ChangeLog
Release Date: 2020-03-27
Fix Resolution: 3.4.5
Step up your Open Source Security Game with WhiteSource here
NumPy is the fundamental package for array computing with Python.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
CVE | Severity | CVSS | Dependency | Type | Fixed in (numpy version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-34141 | Medium | 5.3 | numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Direct | numpy - 1.22.0 | โ |
NumPy is the fundamental package for array computing with Python.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in base branch: main
An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141
Publish Date: 2021-12-17
URL: CVE-2021-34141
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
Release Date: 2021-12-17
Fix Resolution: numpy - 1.22.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c
Found in base branch: main
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, multiple TensorFlow operations misbehave in eager mode when the resource handle provided to them is invalid. In graph mode, it would have been impossible to perform these API calls, but migration to TF 2.x eager mode opened up this vulnerability. If the resource handle is empty, then a reference is bound to a null pointer inside TensorFlow codebase (various codepaths). This is undefined behavior. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Publish Date: 2022-05-20
URL: CVE-2022-29207
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29207
Release Date: 2022-05-20
Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.