smb-h / ai-lab Goto Github PK

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.TensorSummaryV2 does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29193

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29193

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - nltk-3.3.0.zip

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/50/09/3b1755d528ad9156ee7243d52aa5cd2b809ef053a0f31b53d92853dd653a/nltk-3.3.0.zip

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• hazm-0.7.0-py3-none-any.whl (Root Library)
  • ❌ nltk-3.3.0.zip (Vulnerable Library)

Found in HEAD commit: 11224a09bd2416657d465ed77014523b84b35867

Found in base branch: main

Vulnerability Details

nltk is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-27

URL: CVE-2021-3828

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3828

Release Date: 2021-09-27

Fix Resolution: nltk - 3.6.4;nltk - 3.6.4

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, there is a potential for segfault / denial of service in TensorFlow by calling tf.compat.v1.* ops which don't yet have support for quantized types, which was added after migration to TensorFlow 2.x. In these scenarios, since the kernel is missing, a nullptr value is passed to ParseDimensionValue for the py_value argument. Then, this is dereferenced, resulting in segfault. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29205

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29205

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.EditDistance has incomplete validation. Users can pass negative values to cause a segmentation fault based denial of service. In multiple places throughout the code, one may compute an index for a write operation. However, the existing validation only checks against the upper bound of the array. Hence, it is possible to write before the array by massaging the input to generate negative values for loc. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29208

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29208

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - Werkzeug-2.0.2-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/1e/73/51137805d1b8d97367a8a77cae4a792af14bb7ce58fbd071af294c740cf0/Werkzeug-2.0.2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ Werkzeug-2.0.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body.

Publish Date: 2022-05-25

URL: CVE-2022-29361

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29361

Release Date: 2022-05-25

Fix Resolution: Werkzeug - 2.1.1

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.QuantizedConv2D does not fully validate the input arguments. In this case, references get bound to nullptr for each argument that is empty. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29201

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29201

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.Conv3DBackpropFilterV2 does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack. The code does not validate that the filter_sizes argument is a vector. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29196

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29196

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - Pillow-9.0.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/65/c5/85054edda7adce1e9444db026fb1972d81718b1605d0eddda94a6be0709f/Pillow-9.0.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• seaborn-0.11.2-py3-none-any.whl (Root Library)
  • matplotlib-3.4.3-cp37-cp37m-manylinux1_x86_64.whl
    • ❌ Pillow-9.0.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A flaw was found in python-pillow. The vulnerability occurs due to the not validated remove operation, leading to Improper input validation. This flaw allows an attacker to externally-influenced input commands that modify or remove the intended command.

Publish Date: 2022-02-02

URL: CVE-2022-24303

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-9j59-75qj-795w

Release Date: 2022-02-02

Fix Resolution: Pillow - 9.0.1

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.SparseTensorDenseAdd does not fully validate the input arguments. In this case, a reference gets bound to a nullptr during kernel execution. This is undefined behavior. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29206

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29206

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the macros that TensorFlow uses for writing assertions (e.g., CHECK_LT, CHECK_GT, etc.) have an incorrect logic when comparing size_t and int values. Due to type conversion rules, several of the macros would trigger incorrectly. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-21

URL: CVE-2022-29209

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29209

Release Date: 2022-05-21

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.SpaceToBatchND (in all backends such as XLA and handwritten kernels) is vulnerable to an integer overflow: The result of this integer overflow is used to allocate the output tensor, hence we get a denial of service via a CHECK-failure (assertion failure), as in TFSA-2021-198. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29203

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29203

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.UnsortedSegmentJoin does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack. The code assumes num_segments is a scalar but there is no validation for this before accessing its value. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29197

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29197

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the tf.compat.v1.signal.rfft2d and tf.compat.v1.signal.rfft3d lack input validation and under certain condition can result in crashes (due to CHECK-failures). Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-21

URL: CVE-2022-29213

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29213

Release Date: 2022-05-21

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, TensorFlow's saved_model_cli tool is vulnerable to a code injection. This can be used to open a reverse shell. This code path was maintained for compatibility reasons as the maintainers had several test cases where numpy expressions were used as arguments. However, given that the tool is always run manually, the impact of this is still not severe. The maintainers have now removed the safe=False argument, so all parsing is done without calling eval. The patch is available in versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4.

Publish Date: 2022-05-21

URL: CVE-2022-29216

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29216

Release Date: 2022-05-21

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.DeleteSessionTensor does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29194

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29194

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.StagePeek does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack. The code assumes index is a scalar but there is no validation for this before accessing its value. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29195

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29195

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.SparseTensorToCSRSparseMatrix does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack. The code assumes dense_shape is a vector and indices is a matrix (as part of requirements for sparse tensors) but there is no validation for this. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29198

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29198

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 the implementation of depthwise ops in TensorFlow is vulnerable to a denial of service via CHECK-failure (assertion failure) caused by overflowing the number of elements in a tensor

Publish Date: 2022-05-25

URL: WS-2022-0137

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-mw6j-hh29-h379

Release Date: 2022-05-25

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.UnsortedSegmentJoin does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack. The code assumes num_segments is a positive scalar but there is no validation. Since this value is used to allocate the output tensor, a negative value would result in a CHECK-failure (assertion failure), as per TFSA-2021-198. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29204

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29204

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - numpy-1.19.5-cp37-cp37m-manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/08/d6/a6aaa29fea945bc6c61d11f6e0697b325ff7446de5ffd62c2fa02f627048/numpy-1.19.5-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• sklearn-0.0.tar.gz (Root Library)
  • scikit_learn-1.0.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
    • ❌ numpy-1.19.5-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

** DISPUTED ** A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service. NOTE: The vendor does not agree this is a vulneraility; In (very limited) circumstances a user may be able provoke the buffer overflow, the user is most likely already privileged to at least provoke denial of service by exhausting memory. Triggering this further requires the use of uncommon API (complicated structured dtypes), which is very unlikely to be available to an unprivileged user.

Publish Date: 2021-12-17

URL: CVE-2021-33430

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-33430

Release Date: 2021-12-17

Fix Resolution: numpy - 1.21.0

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, certain TFLite models that were created using TFLite model converter would crash when loaded in the TFLite interpreter. The culprit is that during quantization the scale of values could be greater than 1 but code was always assuming sub-unit scaling. Thus, since code was calling QuantizeMultiplierSmallerThanOneExp, the TFLITE_CHECK_LT assertion would trigger and abort the process. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-21

URL: CVE-2022-29212

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29212

Release Date: 2022-05-21

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.LSTMBlockCell does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack. The code does not validate the ranks of any of the arguments to this API call. This results in CHECK-failures when the elements of the tensor are accessed. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29200

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29200

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - numpy-1.19.5-cp37-cp37m-manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/08/d6/a6aaa29fea945bc6c61d11f6e0697b325ff7446de5ffd62c2fa02f627048/numpy-1.19.5-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• sklearn-0.0.tar.gz (Root Library)
  • scikit_learn-1.0.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
    • ❌ numpy-1.19.5-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

** DISPUTED ** Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy < 1.19, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative values. NOTE: The vendor does not agree this is a vulnerability; the negative dimensions can only be created by an already privileged user (or internally).

Publish Date: 2021-12-17

URL: CVE-2021-41496

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-41496

Release Date: 2021-12-17

Fix Resolution: autovizwidget - 0.12.7;numpy - 1.22.0rc1;numcodecs - 0.6.2;numpy-base - 1.11.3;numpy - 1.17.4

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.histogram_fixed_width is vulnerable to a crash when the values array contain Not a Number (NaN) elements. The implementation assumes that all floating point operations are defined and then converts a floating point result to an integer index. If values contains NaN then the result of the division is still NaN and the cast to int32 would result in a crash. This only occurs on the CPU implementation. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-21

URL: CVE-2022-29211

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29211

Release Date: 2022-05-21

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/96/82/0cbf62676f9d64dd0e73e1667ec6cc189bd52051ee85558081167010fdfa/Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

CVE-2022-45198

Vulnerable Library - Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/96/82/0cbf62676f9d64dd0e73e1667ec6cc189bd52051ee85558081167010fdfa/Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).

Publish Date: 2022-11-14

URL: CVE-2022-45198

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-11-14

Fix Resolution: Pillow - 9.2.0

Step up your Open Source Security Game with Mend here

CVE-2022-45199

Vulnerable Library - Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/96/82/0cbf62676f9d64dd0e73e1667ec6cc189bd52051ee85558081167010fdfa/Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-9.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.

Publish Date: 2022-11-14

URL: CVE-2022-45199

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-11-14

Fix Resolution: Pillow - 9.3.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.GetSessionTensor does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29191

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29191

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - jupyter_core-4.11.1-py3-none-any.whl

Jupyter core package. A base package on which Jupyter projects rely.

Library home page: https://files.pythonhosted.org/packages/66/5f/32ee101e07d5ece26876f13526b16179525e19f4e460f8085e9ef8e54cff/jupyter_core-4.11.1-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

CVE-2022-39286

Vulnerable Library - jupyter_core-4.11.1-py3-none-any.whl

Jupyter core package. A base package on which Jupyter projects rely.

Library home page: https://files.pythonhosted.org/packages/66/5f/32ee101e07d5ece26876f13526b16179525e19f4e460f8085e9ef8e54cff/jupyter_core-4.11.1-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ jupyter_core-4.11.1-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in jupyter_core that stems from jupyter_core executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.

Publish Date: 2022-10-26

URL: CVE-2022-39286

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3363

Release Date: 2022-10-26

Fix Resolution: jupyter-core - 4.11.2

Step up your Open Source Security Game with Mend here

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.ragged.constant does not fully validate the input arguments. This results in a denial of service by consuming all available memory. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29202

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29202

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - joblib-1.1.0-py2.py3-none-any.whl

Lightweight pipelining with Python functions

Library home page: https://files.pythonhosted.org/packages/3e/d5/0163eb0cfa0b673aa4fe1cd3ea9d8a81ea0f32e50807b0c295871e4aab2e/joblib-1.1.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ joblib-1.1.0-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.

Publish Date: 2022-09-26

URL: CVE-2022-21797

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-09-26

Fix Resolution: joblib - 1.2.0

Vulnerable Library - Pillow-9.1.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/10/e8/360519e53809ed7d6658605efff9e2423aff136516b6f0afac9b79c1a5ed/Pillow-9.1.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-9.1.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: fd970bf4a27de3bf5a37f62ccd54c0cb50cb631a

Found in base branch: main

Vulnerability Details

libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files.

Publish Date: 2022-05-25

URL: CVE-2022-30595

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/9.1.1.html

Release Date: 2022-05-25

Fix Resolution: Pillow - 9.1.1

Vulnerable Library - nltk-3.3.0.zip

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/50/09/3b1755d528ad9156ee7243d52aa5cd2b809ef053a0f31b53d92853dd653a/nltk-3.3.0.zip

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• hazm-0.7.0-py3-none-any.whl (Root Library)
  • ❌ nltk-3.3.0.zip (Vulnerable Library)

Found in HEAD commit: 11224a09bd2416657d465ed77014523b84b35867

Found in base branch: main

Vulnerability Details

nltk is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2022-01-04

URL: CVE-2021-3842

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-f8m6-h2c7-8h9x

Release Date: 2022-01-04

Fix Resolution: nltk - 3.6.6

Vulnerable Library - nltk-3.3.0.zip

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/50/09/3b1755d528ad9156ee7243d52aa5cd2b809ef053a0f31b53d92853dd653a/nltk-3.3.0.zip

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• hazm-0.7.0-py3-none-any.whl (Root Library)
  • ❌ nltk-3.3.0.zip (Vulnerable Library)

Found in HEAD commit: 11224a09bd2416657d465ed77014523b84b35867

Found in base branch: main

Vulnerability Details

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.

Publish Date: 2021-12-23

URL: CVE-2021-43854

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43854

Release Date: 2021-12-23

Fix Resolution: nltk - 3.6.6

Vulnerable Library - numpy-1.19.5-cp37-cp37m-manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/08/d6/a6aaa29fea945bc6c61d11f6e0697b325ff7446de5ffd62c2fa02f627048/numpy-1.19.5-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• sklearn-0.0.tar.gz (Root Library)
  • scikit_learn-1.0.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
    • ❌ numpy-1.19.5-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
WhiteSource Note: After conducting further research, WhiteSource has determined that versions 1.12.0 through 1.21.5 of numpy are vulnerable to CVE-2021-34141

Publish Date: 2021-12-17

URL: CVE-2021-34141

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-34141

Release Date: 2021-12-17

Fix Resolution: numpy - 1.22.0rc1,1.12.0b1;numpy-base - 1.16.2;numpy - 1.13.2,1.17.4;albatradis - 1.0.1

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.QuantizeAndDequantizeV4Grad does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29192

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29192

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.LoadAndRemapMatrix does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack. The code assumes initializing_values` is a vector but there is no validation for this before accessing its value. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29199

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29199

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0

Vulnerable Library - nltk-3.3.0.zip

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/50/09/3b1755d528ad9156ee7243d52aa5cd2b809ef053a0f31b53d92853dd653a/nltk-3.3.0.zip

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• hazm-0.7.0-py3-none-any.whl (Root Library)
  • ❌ nltk-3.3.0.zip (Vulnerable Library)

Found in HEAD commit: 11224a09bd2416657d465ed77014523b84b35867

Found in base branch: main

Vulnerability Details

NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.

Publish Date: 2019-08-22

URL: CVE-2019-14751

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/nltk/nltk/blob/3.4.5/ChangeLog

Release Date: 2020-03-27

Fix Resolution: 3.4.5

Vulnerable Library - numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/6d/ad/ff3b21ebfe79a4d25b4a4f8e5cf9fd44a204adb6b33c09010f566f51027a/numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

CVE-2021-34141

Vulnerable Library - numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/6d/ad/ff3b21ebfe79a4d25b4a4f8e5cf9fd44a204adb6b33c09010f566f51027a/numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141

Publish Date: 2021-12-17

URL: CVE-2021-34141

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141

Release Date: 2021-12-17

Fix Resolution: numpy - 1.22.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/73/a3/142f73d0e076f5582fd8da29c68af0413bf529933eed09f86a8857fab0d6/tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ tensorflow-2.6.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 977293e8b3e6b1a0183210a2c32c01f32c53dd6c

Found in base branch: main

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, multiple TensorFlow operations misbehave in eager mode when the resource handle provided to them is invalid. In graph mode, it would have been impossible to perform these API calls, but migration to TF 2.x eager mode opened up this vulnerability. If the resource handle is empty, then a reference is bound to a null pointer inside TensorFlow codebase (various codepaths). This is undefined behavior. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Publish Date: 2022-05-20

URL: CVE-2022-29207

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29207

Release Date: 2022-05-20

Fix Resolution: tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0