adamoswald / face Goto Github PK
View Code? Open in Web Editor NEWLicense: GNU General Public License v3.0
License: GNU General Public License v3.0
@TheAdam-Verse Thank you for the invitation, your repo is all set up and I will manage it starting now.
I will take care of tickets' assignment, payments and more, automatically.
If you don't want me to handle a certain Issue or PR, add the no-task
label when creating it. You can also say deregister
to me (if it's already in scope) and I will forget about it.
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/7a/fb/b1b11ae95ffa7099ca2e60ed5945e56130cc8740208f42aa77f17e03ab3c/torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/SwapNet-jwyang-roi-version/.ws-temp-TOUKKS-requirements.txt
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in (torch version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-45907 | High | 9.8 | torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl | Direct | N/A | ❌ |
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/7a/fb/b1b11ae95ffa7099ca2e60ed5945e56130cc8740208f42aa77f17e03ab3c/torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/SwapNet-jwyang-roi-version/.ws-temp-TOUKKS-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.
Publish Date: 2022-11-26
URL: CVE-2022-45907
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Path to vulnerable library: /module/canvas-sketch-cli-1.11.20/node_modules/minimatch/package.json
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-3517 | High | 7.5 | minimatch-3.0.4.tgz | Transitive | N/A | ❌ |
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /module/canvas-sketch-cli-1.11.20/package.json
Path to vulnerable library: /module/canvas-sketch-cli-1.11.20/node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend here
A generic, spec-compliant, thorough implementation of the OAuth request-signing logic
Library home page: https://files.pythonhosted.org/packages/92/bb/d669baf53d4ffe081dab80aad93c5c79f84eeac885dd31507c8c055a98d5/oauthlib-3.2.1-py3-none-any.whl
Path to dependency file: /module
Path to vulnerable library: /module,/docs/sphinx_requirements.txt,/module/MM-RealSR-1.0.0,/module/Jupyter-master/requirements.txt,/module/requirements.txt,/module/imagen-pytorch-1.11.12,/module/PRNet-master/requirements.txt,/module/MM-RealSR-1.0.0/requirements.txt,/module/_tests_requirements.txt,/PRNet-master/requirements.txt,/module/openai-python-0.22.1,/tmp/ws-scm/face
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-36087 | Medium | 6.5 | oauthlib-3.2.1-py3-none-any.whl | Direct | N/A | ❌ |
A generic, spec-compliant, thorough implementation of the OAuth request-signing logic
Library home page: https://files.pythonhosted.org/packages/92/bb/d669baf53d4ffe081dab80aad93c5c79f84eeac885dd31507c8c055a98d5/oauthlib-3.2.1-py3-none-any.whl
Path to dependency file: /module
Path to vulnerable library: /module,/docs/sphinx_requirements.txt,/module/MM-RealSR-1.0.0,/module/Jupyter-master/requirements.txt,/module/requirements.txt,/module/imagen-pytorch-1.11.12,/module/PRNet-master/requirements.txt,/module/MM-RealSR-1.0.0/requirements.txt,/module/_tests_requirements.txt,/PRNet-master/requirements.txt,/module/openai-python-0.22.1,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of uri_validate
functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly uri_validate
are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds.
Mend Note: After conducting further research, Mend has determined that versions 3.1.1 through 3.2.1 of oauthlib are vulnerable to CVE-2022-36087.
Publish Date: 2022-09-09
URL: CVE-2022-36087
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Path to dependency file: /module/nft-art-generator-main/package.json
Path to vulnerable library: /module/nft-art-generator-main/node_modules/cliss/node_modules/yargs-parser/package.json
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-7608 | Medium | 5.3 | yargs-parser-7.0.0.tgz | Transitive | N/A | ❌ |
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-7.0.0.tgz
Path to dependency file: /module/nft-art-generator-main/package.json
Path to vulnerable library: /module/nft-art-generator-main/node_modules/cliss/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1
Step up your Open Source Security Game with Mend here
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/f6/f8/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f/Werkzeug-2.2.3-py3-none-any.whl
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in (Werkzeug version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-46136 | High | 8.0 | Werkzeug-2.2.3-py3-none-any.whl | Direct | 2.3.8 | ❌ |
CVE-2024-34069 | High | 7.5 | Werkzeug-2.2.3-py3-none-any.whl | Direct | 3.0.3 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/f6/f8/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f/Werkzeug-2.2.3-py3-none-any.whl
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.
Publish Date: 2023-10-24
URL: CVE-2023-46136
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hrfv-mqp8-q5rw
Release Date: 2023-10-24
Fix Resolution: 2.3.8
Step up your Open Source Security Game with Mend here
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/f6/f8/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f/Werkzeug-2.2.3-py3-none-any.whl
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.
Publish Date: 2024-05-06
URL: CVE-2024-34069
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2g68-c3qc-8985
Release Date: 2024-05-06
Fix Resolution: 3.0.3
Step up your Open Source Security Game with Mend here
NumPy is the fundamental package for array computing with Python.
Path to dependency file: /module/generator-main/requirements.txt
Path to vulnerable library: /module/generator-main/requirements.txt,/tmp/ws-scm/face,/module/generator-main/requirements.txt
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-33430 | Medium | 5.3 | numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Direct | numpy - 1.21.0 | ❌ |
CVE-2021-34141 | Medium | 5.3 | numpy-1.20.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Direct | numpy - 1.22.0 | ❌ |
NumPy is the fundamental package for array computing with Python.
Path to dependency file: /module/generator-main/requirements.txt
Path to vulnerable library: /module/generator-main/requirements.txt,/tmp/ws-scm/face,/module/generator-main/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
** DISPUTED ** A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service. NOTE: The vendor does not agree this is a vulneraility; In (very limited) circumstances a user may be able provoke the buffer overflow, the user is most likely already privileged to at least provoke denial of service by exhausting memory. Triggering this further requires the use of uncommon API (complicated structured dtypes), which is very unlikely to be available to an unprivileged user.
Mend Note: After conducting further research, Mend has determined that numpy versions before 1.21.0 are vulnerable to CVE-2021-33430
Publish Date: 2021-12-17
URL: CVE-2021-33430
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-33430
Release Date: 2021-12-17
Fix Resolution: numpy - 1.21.0
Step up your Open Source Security Game with Mend here
NumPy is the fundamental package for array computing with Python.
Path to dependency file: /module/generator-main/requirements.txt
Path to vulnerable library: /module/generator-main/requirements.txt,/tmp/ws-scm/face,/module/generator-main/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141
Publish Date: 2021-12-17
URL: CVE-2021-34141
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
Release Date: 2021-12-17
Fix Resolution: numpy - 1.22.0
Step up your Open Source Security Game with Mend here
The XML C parser and toolkit of Gnome
Library home page: http://repo.continuum.io/pkgs/main/linux-64/libxml2-2.9.9-he19cac6_0.conda
Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/home/wss-scanner/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/r/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/r/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-29824 | Medium | 6.5 | libxml2-2.9.9-he19cac6_0.conda | Direct | v2.9.14 | ❌ |
The XML C parser and toolkit of Gnome
Library home page: http://repo.continuum.io/pkgs/main/linux-64/libxml2-2.9.9-he19cac6_0.conda
Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/home/wss-scanner/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/r/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/r/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
Publish Date: 2022-05-03
URL: CVE-2022-29824
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29824
Release Date: 2022-05-03
Fix Resolution: v2.9.14
Step up your Open Source Security Game with Mend here
HTTP/2-based RPC framework
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in (grpcio version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-32731 | High | 7.4 | grpcio-1.54.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | grpc - 1.53.1,1.54.2, grpcio - 1.53.1,1.54.2 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
HTTP/2-based RPC framework
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in grpc/grpc#33005 grpc/grpc#33005
Publish Date: 2023-06-09
URL: CVE-2023-32731
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-32731
Release Date: 2023-06-09
Fix Resolution: grpc - 1.53.1,1.54.2, grpcio - 1.53.1,1.54.2
Step up your Open Source Security Game with Mend here
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl
Path to dependency file: /module/requirements.txt
Path to vulnerable library: /module/requirements.txt,/module
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-10906 | Medium | 5.3 | Jinja2-2.8-py2.py3-none-any.whl | Direct | 2.10.1 | ❌ |
CVE-2016-10745 | Medium | 5.3 | Jinja2-2.8-py2.py3-none-any.whl | Direct | 2.8.1 | ❌ |
CVE-2020-28493 | Medium | 5.3 | Jinja2-2.8-py2.py3-none-any.whl | Direct | Jinja2 - 2.11.3 | ❌ |
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl
Path to dependency file: /module/requirements.txt
Path to vulnerable library: /module/requirements.txt,/module
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
Publish Date: 2019-04-07
URL: CVE-2019-10906
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10906
Release Date: 2020-08-24
Fix Resolution: 2.10.1
Step up your Open Source Security Game with Mend here
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl
Path to dependency file: /module/requirements.txt
Path to vulnerable library: /module/requirements.txt,/module
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
Publish Date: 2019-04-08
URL: CVE-2016-10745
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10745
Release Date: 2019-04-08
Fix Resolution: 2.8.1
Step up your Open Source Security Game with Mend here
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl
Path to dependency file: /module/requirements.txt
Path to vulnerable library: /module/requirements.txt,/module
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the _punctuation_re regex
operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
Publish Date: 2021-02-01
URL: CVE-2020-28493
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28493
Release Date: 2021-02-01
Fix Resolution: Jinja2 - 2.11.3
Step up your Open Source Security Game with Mend here
Easy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-6817 | High | 7.5 | bleach-3.1.0-py37_0.conda | Direct | bleach - 3.1.4 | ❌ |
CVE-2020-6816 | Medium | 6.1 | bleach-3.1.0-py37_0.conda | Direct | bleach - 3.1.2 | ❌ |
CVE-2020-6802 | Medium | 6.1 | bleach-3.1.0-py37_0.conda | Direct | 3.1.1 | ❌ |
WS-2021-0011 | Medium | 6.1 | bleach-3.1.0-py37_0.conda | Direct | bleach - 3.3.0 | ❌ |
CVE-2021-23980 | Medium | 6.1 | bleach-3.1.0-py37_0.conda | Direct | bleach - 3.3.0 | ❌ |
Easy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
A regular expression denial-of-service (ReDoS) found in Bleach before 3.1.4.
Publish Date: 2020-04-01
URL: CVE-2020-6817
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-04-01
Fix Resolution: bleach - 3.1.4
Step up your Open Source Security Game with Mend here
Easy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.
Publish Date: 2020-03-24
URL: CVE-2020-6816
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-m6xf-fq7q-8743
Release Date: 2020-03-24
Fix Resolution: bleach - 3.1.2
Step up your Open Source Security Game with Mend here
Easy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.
Publish Date: 2020-03-24
URL: CVE-2020-6802
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q65m-pv3f-wr5r
Release Date: 2020-03-24
Fix Resolution: 3.1.1
Step up your Open Source Security Game with Mend here
Easy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
In Mozilla Bleach before 3.3.0, a mutation XSS in bleach.clean when p, br, style, title, noscript, script, textarea, noframes, iframe, or xmp and either svg or math tags are whitelisted and the keyword argument strip_comments=False.
Publish Date: 2021-02-01
URL: WS-2021-0011
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-vv2x-vrpj-qqpq
Release Date: 2021-02-01
Fix Resolution: bleach - 3.3.0
Step up your Open Source Security Game with Mend here
Easy, whitelist-based HTML-sanitizing tool
Library home page: http://repo.continuum.io/pkgs/main/linux-64/bleach-3.1.0-py37_0.conda
Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/home/wss-scanner/anaconda3/pkgs/bleach-3.1.0-py37_0.conda,/r/anaconda3/pkgs/bleach-3.1.0-py37_0.conda
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
A flaw was found in bleach before 3.3.0. A mutation XSS affects users calling "bleach.clean". This was fixed in commit 1334134
Publish Date: 2021-01-14
URL: CVE-2021-23980
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/PYSEC-2021-865
Release Date: 2021-01-14
Fix Resolution: bleach - 3.3.0
Step up your Open Source Security Game with Mend here
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/64/c2/b80047c7ac2478f9501676c988a5411ed5572f35d1beff9cae07d321512c/PyYAML-5.3.1.tar.gz
Path to dependency file: /module/requirements.txt
Path to vulnerable library: /module/requirements.txt,/module
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-14343 | High | 9.8 | PyYAML-5.3.1.tar.gz | Direct | PyYAML - 5.4 | ❌ |
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/64/c2/b80047c7ac2478f9501676c988a5411ed5572f35d1beff9cae07d321512c/PyYAML-5.3.1.tar.gz
Path to dependency file: /module/requirements.txt
Path to vulnerable library: /module/requirements.txt,/module
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
Publish Date: 2021-02-09
URL: CVE-2020-14343
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343
Release Date: 2021-02-09
Fix Resolution: PyYAML - 5.4
Step up your Open Source Security Game with Mend here
Path to dependency file: /module/canvas-sketch-cli-1.11.20/package.json
Path to vulnerable library: /module/canvas-sketch-cli-1.11.20/node_modules/falafel/node_modules/acorn/package.json
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
WS-2020-0042 | High | 7.5 | acorn-5.7.4.tgz | Transitive | 6.3.1 | ❌ |
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.4.tgz
Path to dependency file: /module/canvas-sketch-cli-1.11.20/package.json
Path to vulnerable library: /module/canvas-sketch-cli-1.11.20/node_modules/falafel/node_modules/acorn/package.json
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1488
Release Date: 2020-03-01
Fix Resolution (acorn): 6.4.1
Direct dependency fix Resolution (glslify): 6.3.1
Step up your Open Source Security Game with Mend here
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/71/4c/3db2b8021bd6f2f0ceb0e088d6b2d49147671f25832fb17970e9b583d742/certifi-2022.12.7-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/docs/sphinx_requirements.txt,/tmp/ws-scm/face,/PRNet-master/requirements.txt,/docs/sphinx_requirements.txt
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in (certifi version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2024-39689 | High | 7.5 | certifi-2022.12.7-py3-none-any.whl | Direct | 2024.7.4 | ❌ |
CVE-2023-37920 | High | 7.5 | certifi-2022.12.7-py3-none-any.whl | Direct | 2023.7.22 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/71/4c/3db2b8021bd6f2f0ceb0e088d6b2d49147671f25832fb17970e9b583d742/certifi-2022.12.7-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/docs/sphinx_requirements.txt,/tmp/ws-scm/face,/PRNet-master/requirements.txt,/docs/sphinx_requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from GLOBALTRUST
. Certifi 2024.07.04 removes root certificates from GLOBALTRUST
from the root store. These are in the process of being removed from Mozilla's trust store. GLOBALTRUST
's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."
Publish Date: 2024-07-05
URL: CVE-2024-39689
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-248v-346w-9cwc
Release Date: 2024-07-05
Fix Resolution: 2024.7.4
Step up your Open Source Security Game with Mend here
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/71/4c/3db2b8021bd6f2f0ceb0e088d6b2d49147671f25832fb17970e9b583d742/certifi-2022.12.7-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/docs/sphinx_requirements.txt,/tmp/ws-scm/face,/PRNet-master/requirements.txt,/docs/sphinx_requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
Publish Date: 2023-07-25
URL: CVE-2023-37920
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-xqr8-7jwr-rhp7
Release Date: 2023-07-25
Fix Resolution: 2023.7.22
Step up your Open Source Security Game with Mend here
Fast, Extensible Progress Meter
Library home page: https://files.pythonhosted.org/packages/e6/02/a2cff6306177ae6bc73bc0665065de51dfb3b9db7373e122e2735faf0d97/tqdm-4.65.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in (tqdm version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2024-34062 | Medium | 4.8 | tqdm-4.65.0-py3-none-any.whl | Direct | 4.66.4 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Fast, Extensible Progress Meter
Library home page: https://files.pythonhosted.org/packages/e6/02/a2cff6306177ae6bc73bc0665065de51dfb3b9db7373e122e2735faf0d97/tqdm-4.65.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. --delim
, --buf-size
, --manpath
) are passed through python's eval
, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-05-03
URL: CVE-2024-34062
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g7vv-2v7x-gj9p
Release Date: 2024-05-03
Fix Resolution: 4.66.4
Step up your Open Source Security Game with Mend here
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-7608 | Medium | 5.3 | yargs-parser-3.2.0.tgz | Transitive | 7.0.0 | ❌ |
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-3.2.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 5.0.0-security.0
Direct dependency fix Resolution (yargs): 7.0.0
Step up your Open Source Security Game with Mend here
JSON Web Token implementation in Python
Library home page: https://files.pythonhosted.org/packages/87/8b/6a9f14b5f781697e51259d81657e6048fd31a113229cf346880bb7545565/PyJWT-1.7.1-py2.py3-none-any.whl
Path to dependency file: /module/requirements.txt
Path to vulnerable library: /module/requirements.txt,/module
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-29217 | High | 7.5 | PyJWT-1.7.1-py2.py3-none-any.whl | Direct | PyJWT - 2.4.0 | ❌ |
JSON Web Token implementation in Python
Library home page: https://files.pythonhosted.org/packages/87/8b/6a9f14b5f781697e51259d81657e6048fd31a113229cf346880bb7545565/PyJWT-1.7.1-py2.py3-none-any.whl
Path to dependency file: /module/requirements.txt
Path to vulnerable library: /module/requirements.txt,/module
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify jwt.algorithms.get_default_algorithms()
to get support for all algorithms, or specify a single algorithm. The issue is not that big as algorithms=jwt.algorithms.get_default_algorithms()
has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.
Publish Date: 2022-05-24
URL: CVE-2022-29217
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29217
Release Date: 2022-05-24
Fix Resolution: PyJWT - 2.4.0
Step up your Open Source Security Game with Mend here
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-43138 | High | 7.8 | async-2.6.1.tgz | Transitive | 4.0.2 | ❌ |
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (archiver): 4.0.2
Step up your Open Source Security Game with Mend here
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
actions/download-artifact
, actions/upload-artifact
)Warning
Renovate failed to look up the following dependencies: Failed to look up github-tags package logikal-io/pip-install
.
Files affected: .github/workflows/pip-install.yml
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.
Dockerfile.cpu
Dockerfile.gpu
nvidia/cuda 12.1.0-runtime-ubuntu18.04
SwapNet-jwyang-roi-version/Dockerfile
nvidia/cuda 10.2-cudnn7-devel-ubuntu18.04
.github/workflows/action-config.yml
yumemi-inc/action-config v0.1.0
.github/workflows/action-gobrew.yml
kevincobain2000/action-gobrew v1
actions/checkout v3
kevincobain2000/action-gobrew v1
.github/workflows/action-pylint.yml
gabriel-milan/action-pylint v1
actions/checkout v3
gabriel-milan/action-pylint v1
.github/workflows/action-pypi-release.yml
stone-home/action-pypi-release v1.0.0
actions/setup-python v4
mathieudutour/github-tag-action v6.1
pypa/gh-action-pypi-publish v1.8.5
ncipollo/release-action v1.12.0
.github/workflows/action-xcode-staple.yml
BoundfoxStudios/action-xcode-staple v1
BoundfoxStudios/action-xcode-staple v1
.github/workflows/actions-pipenv.yml
tiagovrtr/actions-pipenv v1
actions/checkout v3
actions/setup-python v4
tiagovrtr/actions-pipenv v1
actions/checkout v3
actions/setup-python v4
.github/workflows/actions-poetry.yml
abatilo/actions-poetry v2.3.0
actions/checkout v3
actions/setup-python v4
abatilo/actions-poetry v2
actions/checkout v3
actions/setup-python v4
amannn/action-semantic-pull-request v5.2.0
.github/workflows/api-json-action.yml
nathanclevenger/api-json-action v0.2.0
actions/checkout v3
nathanclevenger/api-json-action v1
stefanzweifel/git-auto-commit-action v4
.github/workflows/azure-webapps-python.yml
actions/checkout v3
actions/setup-python v4.6.0
actions/upload-artifact v3
actions/download-artifact v3
azure/webapps-deploy v2
.github/workflows/c-cpp.yml
actions/checkout v3
.github/workflows/cccc-action.yml
sarnold/cccc-action 0.3
actions/checkout v3
actions/upload-artifact v3
actions/checkout v3
.github/workflows/check-python-version.yml
samuelcolvin/check-python-version v3
samuelcolvin/check-python-version v3
.github/workflows/cmake.yml
actions/checkout v3
.github/workflows/codacy.yml
actions/checkout v3
codacy/codacy-analysis-cli-action db33ad5cfab49143adf0db6e890cf4bb9fb37b1c
github/codeql-action v2
.github/workflows/codenamize-action.yml
reallyreallyreal/codenamize-action v1.1.0
.github/workflows/codeql.yml
actions/checkout v3
github/codeql-action v2
github/codeql-action v2
github/codeql-action v2
.github/workflows/custom-interactions.yml
bartick/custom-interactions v1
bartick/custom-interactions v1
.github/workflows/datadog-synthetics.yml
actions/checkout v3
DataDog/synthetics-ci-github-action 431d042ee366b9468e65570000e67f1846104672
.github/workflows/dependency-review.yml
actions/checkout v3
actions/dependency-review-action v3
.github/workflows/django.yml
actions/checkout v3
actions/setup-python v4
.github/workflows/dotnet-desktop.yml
actions/checkout v3
actions/setup-dotnet v3
microsoft/setup-msbuild v1.3.1
actions/upload-artifact v3
.github/workflows/dotnet.yml
actions/checkout v3
actions/setup-dotnet v3
.github/workflows/foresight-workflow-kit-action.yaml
runforesight/foresight-workflow-kit-action v1
runforesight/foresight-test-kit-action v1
.github/workflows/foresight-workflow-kit-action.yml
runforesight/foresight-workflow-kit-action v1
runforesight/foresight-test-kit-action v1
.github/workflows/generate.yaml
nathanclevenger/api-json-action v0.2.0
actions/checkout v3
nathanclevenger/api-json-action v1
stefanzweifel/git-auto-commit-action v4
.github/workflows/get-version-from-package-json.yml
polyseam/get-version-from-package-json 1.0.0
actions/checkout v3
.github/workflows/gitguardian.yml
actions/checkout v3
.github/workflows/go-ossf-slsa3-publish.yml
slsa-framework/slsa-github-generator v1.5.0
.github/workflows/go.yml
actions/checkout v3
actions/setup-go v4
.github/workflows/gradle-publish.yml
actions/checkout v3
actions/setup-java v3
gradle/gradle-build-action 9cf99034d287025d4ee4838498a346d99521aaa4
gradle/gradle-build-action 9cf99034d287025d4ee4838498a346d99521aaa4
.github/workflows/gradle.yml
actions/checkout v3
actions/setup-java v3
gradle/gradle-build-action 9cf99034d287025d4ee4838498a346d99521aaa4
.github/workflows/ios.yml
actions/checkout v3
.github/workflows/jekyll-docker.yml
actions/checkout v3
.github/workflows/json-to-file.yml
devops-actions/json-to-file v1.0.3
.github/workflows/manual.yml
.github/workflows/node.js.yml
actions/checkout v3
actions/setup-node v3
.github/workflows/npm-grunt.yml
actions/checkout v3
actions/setup-node v3
.github/workflows/npm-gulp.yml
actions/checkout v3
actions/setup-node v3
.github/workflows/objective-c-xcode.yml
actions/checkout v3
.github/workflows/pep8-action.yml
quentinguidee/pep8-action v2.0.13-dev
quentinguidee/pep8-action v1
.github/workflows/php.yml
actions/checkout v3
actions/cache v3
.github/workflows/pip-install.yml
logikal-io/pip-install v1.0.0
.github/workflows/pylint.yml
actions/checkout v3
actions/setup-python v4
.github/workflows/pytest.yml
actions/checkout v3
actions/setup-python v4
.github/workflows/python-app.yml
actions/checkout v3
actions/setup-python v4
.github/workflows/python-package-conda.yml
actions/checkout v3
actions/setup-python v4
.github/workflows/python-package.yml
actions/checkout v3
actions/setup-python v4
.github/workflows/python-publish.yml
actions/checkout v3
actions/setup-python v4
pypa/gh-action-pypi-publish 5a085bf49e449ba94cc551efdc03b14b2be3788c
.github/workflows/r.yml
actions/checkout v3
r-lib/actions 788d7d59f05b5ac5b9cf4630428a2502514e98fb
.github/workflows/ruby.yml
actions/checkout v3
ruby/setup-ruby v1.146.0@55283cc23133118229fd3f97f9336ee23a179fcf
.github/workflows/scala.yml
actions/checkout v3
actions/setup-java v3
.github/workflows/setup-python.yml
actions/setup-python v4.6.0
.github/workflows/setup-swift-beta.yml
SavchenkoValeriy/setup-swift v1.0.0
swift-actions/setup-swift v1
swift-actions/setup-swift v1
swift-actions/setup-swift v1
.github/workflows/stackaid-dependency-generator.yml
stackaid/generate-stackaid-json v1.9
actions/checkout v3
actions/setup-go v4
stackaid/generate-stackaid-json v1.9
.github/workflows/super-linter.yml
actions/checkout v3
github/super-linter v5
.github/workflows/swift.yml
actions/checkout v3
.github/workflows/test-pypy.yml
actions/checkout v3
actions/checkout v3
actions/checkout v3
.github/workflows/test-python.yml
actions/checkout v3
actions/checkout v3
actions/checkout v3
actions/checkout v3
actions/checkout v3
actions/checkout v3
.github/workflows/update-ios-bundle-identifier-action.yml
damienaicheh/update-ios-bundle-identifier-action v1.0.0
damienaicheh/update-ios-bundle-identifier-action v1.0.0
.github/workflows/update-ios-version-info-plist-action.yml
damienaicheh/update-ios-version-info-plist-action v1.1.0
damienaicheh/update-ios-version-info-plist-action v1.1.0
.github/workflows/update-updates-release-channel-expo-plist-action.yml
Brune04/update-updates-release-channel-expo-plist-action v1.3
Brune04/update-ios-version-info-plist-action v1.3
.github/workflows/webpack.yml
actions/checkout v3
actions/setup-node v3
.github/workflows/workflow.yml
actions/checkout v3
actions/setup-node v3
.github/workflows/yaml-to-env-action.yml
dcarbone/yaml-to-env-action v2.1.1
actions/checkout v3
dcarbone/yaml-to-env-action v2.1.1
PRNet-master/requirements.txt
numpy >=1.14.3
docs/sphinx_requirements.txt
requirements.txt
setup.py
pexpect >=4.8.0
pywinpty ==2.0.10
parametric-face-image-generator-2.1.1/build.sbt
scala 2.13.10
ch.unibas.cs.gravis:scalismo-faces 0.90.0
org.scalatest:scalatest 3.2.15
org.rogach:scallop 4.1.0
parametric-face-image-generator-2.1.1/project/assembly.sbt
com.eed3si9n:sbt-assembly 2.1.1
parametric-face-image-generator-2.1.1/project/build.properties
sbt/sbt 1.8.2
Wrapper package for OpenCV python bindings.
Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-9423 | High | 7.8 | opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl | Direct | opencv-python - 4.1.2.30,3.4.16.57;opencv-python-headless - 4.1.2.30,3.4.16.57;opencv-contrib-python-headless - 3.4.16.57,4.1.2.30;opencv-contrib-python - 3.4.16.57,4.1.2.30 | ❌ |
CVE-2019-14493 | High | 7.5 | opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl | Direct | OpenCV-Python - 3.4.7.28, 4.1.1.26 | ❌ |
CVE-2019-14492 | High | 7.5 | opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl | Direct | OpenCV-Python - 3.4.7.28, 4.1.1.26 | ❌ |
CVE-2019-19624 | Medium | 6.5 | opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl | Direct | OpenCV-Python - 4.1.0.25 | ❌ |
CVE-2019-14491 | Medium | 6.5 | opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl | Direct | OpenCV-Python - 3.4.7.28, 4.1.1.26 | ❌ |
CVE-2019-15939 | Medium | 5.9 | opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl | Direct | OpenCV-Python - 4.1.1.26 | ❌ |
CVE-2019-16249 | Medium | 5.3 | opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl | Direct | OpenCV-Python - 4.1.1.26 | ❌ |
Wrapper package for OpenCV python bindings.
Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
In opencv calls that use libpng, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges required. User interaction is not required for exploitation. Product: AndroidVersions: Android-10Android ID: A-110986616
Publish Date: 2019-09-27
URL: CVE-2019-9423
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-9423
Release Date: 2019-09-27
Fix Resolution: opencv-python - 4.1.2.30,3.4.16.57;opencv-python-headless - 4.1.2.30,3.4.16.57;opencv-contrib-python-headless - 3.4.16.57,4.1.2.30;opencv-contrib-python - 3.4.16.57,4.1.2.30
Step up your Open Source Security Game with Mend here
Wrapper package for OpenCV python bindings.
Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
An issue was discovered in OpenCV before 4.1.1. There is a NULL pointer dereference in the function cv::XMLParser::parse at modules/core/src/persistence.cpp.
Publish Date: 2019-08-01
URL: CVE-2019-14493
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3448-vrgh-85xr
Release Date: 2019-08-01
Fix Resolution: OpenCV-Python - 3.4.7.28, 4.1.1.26
Step up your Open Source Security Game with Mend here
Wrapper package for OpenCV python bindings.
Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read/write in the function HaarEvaluator::OptFeature::calc in modules/objdetect/src/cascadedetect.hpp, which leads to denial of service.
Publish Date: 2019-08-01
URL: CVE-2019-14492
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-fw99-f933-rgh8
Release Date: 2020-04-17
Fix Resolution: OpenCV-Python - 3.4.7.28, 4.1.1.26
Step up your Open Source Security Game with Mend here
Wrapper package for OpenCV python bindings.
Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
An out-of-bounds read was discovered in OpenCV before 4.1.1. Specifically, variable coarsest_scale is assumed to be greater than or equal to finest_scale within the calc()/ocl_calc() functions in dis_flow.cpp. However, this is not true when dealing with small images, leading to an out-of-bounds read of the heap-allocated arrays Ux and Uy.
Publish Date: 2019-12-06
URL: CVE-2019-19624
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jggw-2q6g-c3m6
Release Date: 2019-12-17
Fix Resolution: OpenCV-Python - 4.1.0.25
Step up your Open Source Security Game with Mend here
Wrapper package for OpenCV python bindings.
Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read in the function cv::predictOrderedcv::HaarEvaluator in modules/objdetect/src/cascadedetect.hpp, which leads to denial of service.
Publish Date: 2019-08-01
URL: CVE-2019-14491
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-fm39-cw8h-3p63
Release Date: 2019-12-02
Fix Resolution: OpenCV-Python - 3.4.7.28, 4.1.1.26
Step up your Open Source Security Game with Mend here
Wrapper package for OpenCV python bindings.
Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
An issue was discovered in OpenCV 4.1.0. There is a divide-by-zero error in cv::HOGDescriptor::getDescriptorSize in modules/objdetect/src/hog.cpp.
Publish Date: 2019-09-05
URL: CVE-2019-15939
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hxfw-jm98-v4mq
Release Date: 2019-09-05
Fix Resolution: OpenCV-Python - 4.1.1.26
Step up your Open Source Security Game with Mend here
Wrapper package for OpenCV python bindings.
Library home page: https://files.pythonhosted.org/packages/45/bd/e0a4391ac105ecf73a6e14372174b05774634c7c6454e49c38750d516eee/opencv_python-4.0.0.21-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
OpenCV 4.1.1 has an out-of-bounds read in hal_baseline::v_load in core/hal/intrin_sse.hpp when called from computeSSDMeanNorm in modules/video/src/dis_flow.cpp.
Publish Date: 2019-09-11
URL: CVE-2019-16249
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-x3rm-644h-67m8
Release Date: 2019-12-03
Fix Resolution: OpenCV-Python - 4.1.1.26
Step up your Open Source Security Game with Mend here
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/bc/c3/f068337a370801f372f2f8f6bad74a5c140f6fda3d9de154052708dd3c65/Jinja2-3.1.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/docs/sphinx_requirements.txt,/docs/sphinx_requirements.txt,/tmp/ws-scm/face
CVE | Severity | CVSS | Dependency | Type | Fixed in (Jinja2 version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2024-34064 | Medium | 5.4 | Jinja2-3.1.2-py3-none-any.whl | Direct | Jinja2 - 3.1.4 | ❌ |
CVE-2024-22195 | Medium | 5.4 | Jinja2-3.1.2-py3-none-any.whl | Direct | jinja2 - 3.1.3 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/bc/c3/f068337a370801f372f2f8f6bad74a5c140f6fda3d9de154052708dd3c65/Jinja2-3.1.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/docs/sphinx_requirements.txt,/docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in base branch: master
Jinja is an extensible templating engine. The xmlattr
filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /
, >
, or =
, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the xmlattr
filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting values as user input continues to be safe. This vulnerability is fixed in 3.1.4.
Publish Date: 2024-05-06
URL: CVE-2024-34064
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h75v-3vvj-5mfj
Release Date: 2024-05-06
Fix Resolution: Jinja2 - 3.1.4
Step up your Open Source Security Game with Mend here
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/bc/c3/f068337a370801f372f2f8f6bad74a5c140f6fda3d9de154052708dd3c65/Jinja2-3.1.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/docs/sphinx_requirements.txt,/docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in base branch: master
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja xmlattr
filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.
Publish Date: 2024-01-11
URL: CVE-2024-22195
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h5c8-rqwp-cp95
Release Date: 2024-01-11
Fix Resolution: jinja2 - 3.1.3
Step up your Open Source Security Game with Mend here
Protocol Buffers
Path to dependency file: /module/runx-0.0.5/requirements.txt
Path to vulnerable library: /module/runx-0.0.5/requirements.txt,/module/runx-0.0.5/requirements.txt
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-1941 | High | 7.5 | protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl | Direct | Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6 | ❌ |
Protocol Buffers
Path to dependency file: /module/runx-0.0.5/requirements.txt
Path to vulnerable library: /module/runx-0.0.5/requirements.txt,/module/runx-0.0.5/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: 2022-09-22
URL: CVE-2022-1941
Base Score Metrics:
Type: Upgrade version
Origin: https://cloud.google.com/support/bulletins#GCP-2022-019
Release Date: 2022-09-22
Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in (tensorflow version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-41894 | High | 7.1 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41900 | High | 7.1 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41880 | Medium | 6.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41895 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41884 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41893 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41898 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41887 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41888 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41899 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41896 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41886 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41897 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41889 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41911 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41901 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41907 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41908 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41909 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41890 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41891 | Medium | 4.8 | tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
Partial details (19 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. The reference kernel of the CONV_3D_TRANSPOSE
TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result. Instead of data_ptr += num_channels;
it should be data_ptr += output_num_channels;
as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels. An attacker can craft a model with a specific number of input channels. It is then possible to write specific values through the bias of the layer outside the bounds of the buffer. This attack only works if the reference kernel resolver is used in the interpreter. We have patched the issue in GitHub commit 72c0bdcb25305b0b36842d746cc61d72658d2941. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41894
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41894
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow 2.10.1.
Publish Date: 2022-11-18
URL: CVE-2022-41900
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41900
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. When the BaseCandidateSamplerOp
function receives a value in true_classes
larger than range_max
, a heap oob read occurs. We have patched the issue in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41880
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41880
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. If MirrorPadGrad
is given outsize input paddings
, TensorFlow will give a heap OOB error. We have patched the issue in GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41895
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41895
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. We have patched the issue in GitHub commit 2b56169c16e375c521a3bc8ea658811cc0793784. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41884
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41884
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. If tf.raw_ops.TensorListResize
is given a nonscalar value for input size
, it results CHECK
fail which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41893
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41893
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. If SparseFillEmptyRowsGrad
is given empty inputs, TensorFlow will crash. We have patched the issue in GitHub commit af4a6a3c8b95022c351edae94560acc61253a1b8. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41898
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41898
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. tf.keras.losses.poisson
receives a y_pred
and y_true
that are passed through functor::mul
in BinaryOp
. If the resulting dimensions overflow an int32
, TensorFlow will crash due to a size mismatch during broadcast assignment. We have patched the issue in GitHub commit c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1 and 2.9.3, as these are also affected and still in supported range. However, we will not cherrypick this commit into TensorFlow 2.8.x, as it depends on Eigen behavior that changed between 2.8 and 2.9.
Publish Date: 2022-11-18
URL: CVE-2022-41887
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41887
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. When running on GPU, tf.image.generate_bounding_box_proposals
receives a scores
input that must be of rank 4 but is not checked. We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41888
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41888
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. Inputs dense_features
or example_state_data
not of rank 2 will trigger a CHECK
fail in SdcaOptimizer
. We have patched the issue in GitHub commit 80ff197d03db2a70c6a111f97dcdacad1b0babfa. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41899
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41899
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. If ThreadUnsafeUnigramCandidateSampler
is given input filterbank_channel_count
greater than the allowed max size, TensorFlow will crash. We have patched the issue in GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41896
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41896
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. When tf.raw_ops.ImageProjectiveTransformV2
is given a large output shape, it overflows. We have patched the issue in GitHub commit 8faa6ea692985dbe6ce10e1a3168e0bd60a723ba. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41886
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41886
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. If FractionMaxPoolGrad
is given outsize inputs row_pooling_sequence
and col_pooling_sequence
, TensorFlow will crash. We have patched the issue in GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41897
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41897
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a nullptr
, which is not caught. An example can be seen in tf.compat.v1.extract_volume_patches
by passing in quantized tensors as input ksizes
. We have patched the issue in GitHub commit e9e95553e5411834d215e6770c81a83a3d0866ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41889
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41889
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a const char*
array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from char
to bool
are undefined if the char
is not 0
or 1
, so sanitizers/fuzzers will crash. The issue has been patched in GitHub commit 1be74370327
. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1, TensorFlow 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41911
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41911
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. An input sparse_matrix
that is not a matrix with a shape with rank 0 will trigger a CHECK
fail in tf.raw_ops.SparseMatrixNNZ
. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41901
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41901
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. When tf.raw_ops.ResizeNearestNeighborGrad
is given a large size
input, it overflows. We have patched the issue in GitHub commit 00c821af032ba9e5f5fa3fe14690c8d28a657624. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41907
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41907
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. An input token
that is not a UTF-8 bytestring will trigger a CHECK
fail in tf.raw_ops.PyFunc
. We have patched the issue in GitHub commit 9f03a9d3bafe902c1e6beb105b2f24172f238645. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41908
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41908
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. An input encoded
that is not a valid CompositeTensorVariant
tensor will trigger a segfault in tf.raw_ops.CompositeTensorVariantToComponents
. We have patched the issue in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and 660ce5a89eb6766834bdc303d2ab3902aef99d3d. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41909
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41909
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
The fastest way to build data apps in Python
Library home page: https://files.pythonhosted.org/packages/a3/3b/8b70128553de980a5120b512c8eedc3667deced9554fc399703414b1d8cf/streamlit-0.72.0-py2.py3-none-any.whl
Path to dependency file: /module/requirements.txt
Path to vulnerable library: /module/requirements.txt,/module
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-35918 | Medium | 6.5 | streamlit-0.72.0-py2.py3-none-any.whl | Direct | streamlit - 1.11.1 | ❌ |
The fastest way to build data apps in Python
Library home page: https://files.pythonhosted.org/packages/a3/3b/8b70128553de980a5120b512c8eedc3667deced9554fc399703414b1d8cf/streamlit-0.72.0-py2.py3-none-any.whl
Path to dependency file: /module/requirements.txt
Path to vulnerable library: /module/requirements.txt,/module
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Streamlit is a data oriented application development framework for python. Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information. An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file. This issue has been resolved in version 1.11.1. Users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2022-08-01
URL: CVE-2022-35918
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35918
Release Date: 2022-08-01
Fix Resolution: streamlit - 1.11.1
Step up your Open Source Security Game with Mend here
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz
Path to dependency file: /module/wombopy-main
Path to vulnerable library: /module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/extension-cpp-master/cuda
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-1747 | High | 9.8 | PyYAML-5.1.tar.gz | Direct | pyyaml - 5.3.1 | ❌ |
CVE-2020-14343 | High | 9.8 | PyYAML-5.1.tar.gz | Direct | PyYAML - 5.4 | ❌ |
CVE-2019-20477 | High | 9.8 | PyYAML-5.1.tar.gz | Direct | 5.2 | ❌ |
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz
Path to dependency file: /module/wombopy-main
Path to vulnerable library: /module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/extension-cpp-master/cuda
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.
Publish Date: 2020-03-24
URL: CVE-2020-1747
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6757-jp84-gxfx
Release Date: 2020-03-24
Fix Resolution: pyyaml - 5.3.1
Step up your Open Source Security Game with Mend here
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz
Path to dependency file: /module/wombopy-main
Path to vulnerable library: /module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/extension-cpp-master/cuda
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
Publish Date: 2021-02-09
URL: CVE-2020-14343
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343
Release Date: 2021-02-09
Fix Resolution: PyYAML - 5.4
Step up your Open Source Security Game with Mend here
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz
Path to dependency file: /module/wombopy-main
Path to vulnerable library: /module/wombopy-main,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/extension-cpp-master/cuda
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
Publish Date: 2020-02-19
URL: CVE-2019-20477
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20477
Release Date: 2020-02-19
Fix Resolution: 5.2
Step up your Open Source Security Game with Mend here
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/7b/f5/890a0baca17a61c1f92f72b81d3c31523c99bec609e60c292ea55b387ae8/urllib3-1.26.15-py2.py3-none-any.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face,/docs/sphinx_requirements.txt
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in (urllib3 version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-43804 | Medium | 5.9 | urllib3-1.26.15-py2.py3-none-any.whl | Direct | 1.26.17 | ❌ |
CVE-2024-37891 | Medium | 4.4 | urllib3-1.26.15-py2.py3-none-any.whl | Direct | 1.26.19 | ❌ |
CVE-2023-45803 | Medium | 4.2 | urllib3-1.26.15-py2.py3-none-any.whl | Direct | 1.26.18 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/7b/f5/890a0baca17a61c1f92f72b81d3c31523c99bec609e60c292ea55b387ae8/urllib3-1.26.15-py2.py3-none-any.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face,/docs/sphinx_requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie
HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie
header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
Publish Date: 2023-10-04
URL: CVE-2023-43804
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804
Release Date: 2023-10-04
Fix Resolution: 1.26.17
Step up your Open Source Security Game with Mend here
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/7b/f5/890a0baca17a61c1f92f72b81d3c31523c99bec609e60c292ea55b387ae8/urllib3-1.26.15-py2.py3-none-any.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face,/docs/sphinx_requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with ProxyManager
, the Proxy-Authorization
header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the Proxy-Authorization
header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the Proxy-Authorization
HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the Proxy-Authorization
header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the Proxy-Authorization
header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the Proxy-Authorization
header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the Proxy-Authorization
header with urllib3's ProxyManager
, disable HTTP redirects using redirects=False
when sending requests, or not user the Proxy-Authorization
header as mitigations.
Publish Date: 2024-06-17
URL: CVE-2024-37891
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-34jh-p97f-mpxf
Release Date: 2024-06-17
Fix Resolution: 1.26.19
Step up your Open Source Security Game with Mend here
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/7b/f5/890a0baca17a61c1f92f72b81d3c31523c99bec609e60c292ea55b387ae8/urllib3-1.26.15-py2.py3-none-any.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face,/docs/sphinx_requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST
) to GET
as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False
and disable automatic redirects with redirects=False
and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.
Publish Date: 2023-10-17
URL: CVE-2023-45803
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g4mx-q9vg-27p4
Release Date: 2023-10-17
Fix Resolution: 1.26.18
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in (tensorflow version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-25668 | Critical | 9.8 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 2.11.1 | ❌ |
CVE-2023-33976 | High | 7.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 2.12.1 | ❌ |
CVE-2023-25676 | High | 7.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | ❌ |
CVE-2023-25675 | High | 7.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | ❌ |
CVE-2023-25674 | High | 7.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | ❌ |
CVE-2023-25673 | High | 7.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | ❌ |
CVE-2023-25672 | High | 7.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | ❌ |
CVE-2023-25671 | High | 7.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 2.11.1 | ❌ |
CVE-2023-25670 | High | 7.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | ❌ |
CVE-2023-25669 | High | 7.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | ❌ |
CVE-2023-25665 | High | 7.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 2.11.1 | ❌ |
CVE-2023-25664 | High | 7.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 2.11.1 | ❌ |
CVE-2023-25663 | High | 7.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | ❌ |
CVE-2023-25662 | High | 7.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | ❌ |
CVE-2023-25660 | High | 7.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | ❌ |
CVE-2023-25659 | High | 7.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | ❌ |
CVE-2023-25658 | High | 7.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | ❌ |
CVE-2023-25667 | Medium | 6.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0 | ❌ |
CVE-2023-25661 | Medium | 6.5 | tensorflow-2.11.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | 2.11.1 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25668
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gw97-ff7c-9v96
Release Date: 2023-03-25
Fix Resolution: 2.11.1
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an end-to-end open source platform for machine learning. array_ops.upper_bound
causes a segfault when not given a rank 2 tensor. The fix will be included in TensorFlow 2.13 and will also cherrypick this commit on TensorFlow 2.12.
Publish Date: 2024-07-30
URL: CVE-2023-33976
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gjh7-xx4r-x345
Release Date: 2024-07-30
Fix Resolution: 2.12.1
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, tf.raw_ops.ParallelConcat
segfaults with a nullptr dereference when given a parameter shape
with rank that is not greater than zero. A fix is available in TensorFlow 2.12.0 and 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25676
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6wfh-89q8-44jq
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, tf.raw_ops.Bincount
segfaults when given a parameter weights
that is neither the same shape as parameter arr
nor a length-0 tensor. A fix is included in TensorFlow 2.12.0 and 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25675
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-7x4v-9gxg-9hwj
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source machine learning platform. Versions prior to 2.12.0 and 2.11.1 have a null pointer error in RandomShuffle with XLA enabled. A fix is included in TensorFlow 2.12.0 and 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25674
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gf97-q72m-7579
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a Floating Point Exception in TensorListSplit with XLA. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25673
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-647v-r7qq-24fh
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. The function tf.raw_ops.LookupTableImportV2
cannot handle scalars in the values
parameter and gives an NPE. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25672
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-94mm-g2mv-8p7r
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. There is out-of-bounds access due to mismatched integer type sizes. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25671
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-25671
Release Date: 2023-03-25
Fix Resolution: 2.11.1
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a null point error in QuantizedMatMulWithBiasAndDequantize with MKL enabled. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25670
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-49rq-hwc3-x77w
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the stride and window size are not positive for tf.raw_ops.AvgPoolGrad
, it can give a floating point exception. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25669
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-rcf8-g8jv-vg6p
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when SparseSparseMaximum
is given invalid sparse tensors as inputs, it can give a null pointer error. A fix is included in TensorFlow version 2.12 and version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25665
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-25665
Release Date: 2023-03-25
Fix Resolution: 2.11.1
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a heap buffer overflow in TAvgPoolGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25664
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6hg6-5c2q-7rcr
Release Date: 2023-03-25
Fix Resolution: 2.11.1
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when ctx->step_containter()
is a null ptr, the Lookup function will be executed with a null pointer. A fix is included in TensorFlow 2.12.0 and 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25663
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-64jg-wjww-7c5w
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 are vulnerable to integer overflow in EditDistance. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25662
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-7jvm-xxmr-v5cw
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when the parameter summarize
of tf.raw_ops.Print
is zero, the new method SummarizeArray<bool>
will reference to a nullptr, leading to a seg fault. A fix is included in TensorFlow version 2.12 and version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25660
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qjqc-vqcf-5qvj
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the parameter indices
for DynamicStitch
does not match the shape of the parameter data
, it can trigger an stack OOB read. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25659
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-93vr-9q9m-pj8p
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, an out of bounds read is in GRUBlockCellGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25658
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-68v3-g9cm-rmm6
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, integer overflow occurs when 2^31 <= num_frames * height * width * channels < 2^32
, for example Full HD screencast of at least 346 frames. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-25
URL: CVE-2023-25667
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-fqm2-gh8w-gr68
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/PRNet-master/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an Open Source Machine Learning Framework. In versions prior to 2.11.1 a malicious invalid input crashes a tensorflow model (Check Failed) and can be used to trigger a denial of service attack. A proof of concept can be constructed with the Convolution3DTranspose
function. This Convolution3DTranspose layer is a very common API in modern neural networks. The ML models containing such vulnerable components could be deployed in ML applications or as cloud services. This failure could be potentially used to trigger a denial of service attack on ML cloud services. An attacker must have privilege to provide input to a Convolution3DTranspose
call. This issue has been patched and users are advised to upgrade to version 2.11.1. There are no known workarounds for this vulnerability.
Publish Date: 2023-03-27
URL: CVE-2023-25661
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-fxgc-95xx-grvq
Release Date: 2023-03-27
Fix Resolution: 2.11.1
Step up your Open Source Security Game with Mend here
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-3807 | High | 7.5 | ansi-regex-3.0.0.tgz | Transitive | 5.0.0 | ❌ |
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 3.0.1
Direct dependency fix Resolution (table): 5.0.0
Step up your Open Source Security Game with Mend here
Protocol Buffers
Library home page: https://files.pythonhosted.org/packages/19/a5/ac51df34cdf4739574492ed4903c11dadd72a7bec4a31bb0496f4f50fc19/protobuf-3.7.1-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt
Path to vulnerable library: /module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda,/module/wombopy-main,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-1941 | High | 7.5 | protobuf-3.7.1-cp37-cp37m-manylinux1_x86_64.whl | Direct | Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6 | ❌ |
Protocol Buffers
Library home page: https://files.pythonhosted.org/packages/19/a5/ac51df34cdf4739574492ed4903c11dadd72a7bec4a31bb0496f4f50fc19/protobuf-3.7.1-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt
Path to vulnerable library: /module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda,/module/wombopy-main,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: 2022-09-22
URL: CVE-2022-1941
Base Score Metrics:
Type: Upgrade version
Origin: https://cloud.google.com/support/bulletins#GCP-2022-019
Release Date: 2022-09-22
Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in (tensorflow version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-41894 | High | 7.1 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41900 | High | 7.1 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41883 | Medium | 6.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.10.1, 2.11.0, tensorflow-cpu - 2.10.1, 2.11.0, tensorflow-gpu - 2.10.1, 2.11.0 | ❌ |
CVE-2022-41880 | Medium | 6.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41895 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41884 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41893 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41898 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41887 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41888 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41899 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41896 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41886 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41897 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41911 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41889 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41901 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41907 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41908 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41909 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41890 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
CVE-2022-41891 | Medium | 4.8 | tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 | ❌ |
Partial details (18 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. The reference kernel of the CONV_3D_TRANSPOSE
TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result. Instead of data_ptr += num_channels;
it should be data_ptr += output_num_channels;
as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels. An attacker can craft a model with a specific number of input channels. It is then possible to write specific values through the bias of the layer outside the bounds of the buffer. This attack only works if the reference kernel resolver is used in the interpreter. We have patched the issue in GitHub commit 72c0bdcb25305b0b36842d746cc61d72658d2941. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41894
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41894
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow 2.10.1.
Publish Date: 2022-11-18
URL: CVE-2022-41900
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41900
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. When ops that have specified input sizes receive a differing number of inputs, the executor will crash. We have patched the issue in GitHub commit f5381e0e10b5a61344109c1b7c174c68110f7629. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41883
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41883
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.10.1, 2.11.0, tensorflow-cpu - 2.10.1, 2.11.0, tensorflow-gpu - 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. When the BaseCandidateSamplerOp
function receives a value in true_classes
larger than range_max
, a heap oob read occurs. We have patched the issue in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41880
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41880
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. If MirrorPadGrad
is given outsize input paddings
, TensorFlow will give a heap OOB error. We have patched the issue in GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41895
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41895
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. We have patched the issue in GitHub commit 2b56169c16e375c521a3bc8ea658811cc0793784. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41884
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41884
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. If tf.raw_ops.TensorListResize
is given a nonscalar value for input size
, it results CHECK
fail which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41893
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41893
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. If SparseFillEmptyRowsGrad
is given empty inputs, TensorFlow will crash. We have patched the issue in GitHub commit af4a6a3c8b95022c351edae94560acc61253a1b8. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41898
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41898
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. tf.keras.losses.poisson
receives a y_pred
and y_true
that are passed through functor::mul
in BinaryOp
. If the resulting dimensions overflow an int32
, TensorFlow will crash due to a size mismatch during broadcast assignment. We have patched the issue in GitHub commit c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1 and 2.9.3, as these are also affected and still in supported range. However, we will not cherrypick this commit into TensorFlow 2.8.x, as it depends on Eigen behavior that changed between 2.8 and 2.9.
Publish Date: 2022-11-18
URL: CVE-2022-41887
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41887
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. When running on GPU, tf.image.generate_bounding_box_proposals
receives a scores
input that must be of rank 4 but is not checked. We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41888
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41888
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. Inputs dense_features
or example_state_data
not of rank 2 will trigger a CHECK
fail in SdcaOptimizer
. We have patched the issue in GitHub commit 80ff197d03db2a70c6a111f97dcdacad1b0babfa. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41899
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41899
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. If ThreadUnsafeUnigramCandidateSampler
is given input filterbank_channel_count
greater than the allowed max size, TensorFlow will crash. We have patched the issue in GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41896
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41896
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. When tf.raw_ops.ImageProjectiveTransformV2
is given a large output shape, it overflows. We have patched the issue in GitHub commit 8faa6ea692985dbe6ce10e1a3168e0bd60a723ba. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41886
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41886
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. If FractionMaxPoolGrad
is given outsize inputs row_pooling_sequence
and col_pooling_sequence
, TensorFlow will crash. We have patched the issue in GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41897
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41897
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a const char*
array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from char
to bool
are undefined if the char
is not 0
or 1
, so sanitizers/fuzzers will crash. The issue has been patched in GitHub commit 1be74370327
. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1, TensorFlow 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41911
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41911
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a nullptr
, which is not caught. An example can be seen in tf.compat.v1.extract_volume_patches
by passing in quantized tensors as input ksizes
. We have patched the issue in GitHub commit e9e95553e5411834d215e6770c81a83a3d0866ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41889
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41889
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. An input sparse_matrix
that is not a matrix with a shape with rank 0 will trigger a CHECK
fail in tf.raw_ops.SparseMatrixNNZ
. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41901
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41901
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
TensorFlow is an open source machine learning framework for everyone.
Path to dependency file: /PRNet-master/requirements.txt
Path to vulnerable library: /PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
TensorFlow is an open source platform for machine learning. When tf.raw_ops.ResizeNearestNeighborGrad
is given a large size
input, it overflows. We have patched the issue in GitHub commit 00c821af032ba9e5f5fa3fe14690c8d28a657624. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41907
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41907
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/56/aa/4ef5aa67a9a62505db124a5cb5262332d1d4153462eb8fd89c9fa41e5d92/urllib3-1.25.11-py2.py3-none-any.whl
Path to dependency file: /module/runx-0.0.5
Path to vulnerable library: /module/runx-0.0.5,/module/requirements.txt,/module
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-33503 | High | 7.5 | urllib3-1.25.11-py2.py3-none-any.whl | Direct | urllib3 - 1.26.5 | ❌ |
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/56/aa/4ef5aa67a9a62505db124a5cb5262332d1d4153462eb8fd89c9fa41e5d92/urllib3-1.25.11-py2.py3-none-any.whl
Path to dependency file: /module/runx-0.0.5
Path to vulnerable library: /module/runx-0.0.5,/module/requirements.txt,/module
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Publish Date: 2021-06-29
URL: CVE-2021-33503
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q2q7-5pp4-w6pg
Release Date: 2021-06-29
Fix Resolution: urllib3 - 1.26.5
Step up your Open Source Security Game with Mend here
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/2c/a2/2d565cb1d754384a88998b9c86daf803a3a7908577875231eb99b8c7973d/Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in (Pillow version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-50447 | High | 8.1 | Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl | Direct | pillow - 10.2.0 | ❌ |
CVE-2023-44271 | High | 7.5 | Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl | Direct | Pillow - 10.0.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/2c/a2/2d565cb1d754384a88998b9c86daf803a3a7908577875231eb99b8c7973d/Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
Publish Date: 2024-01-19
URL: CVE-2023-50447
Base Score Metrics:
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2024/01/20/1
Release Date: 2024-01-19
Fix Resolution: pillow - 10.2.0
Step up your Open Source Security Game with Mend here
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/2c/a2/2d565cb1d754384a88998b9c86daf803a3a7908577875231eb99b8c7973d/Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
Publish Date: 2023-11-03
URL: CVE-2023-44271
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-11-03
Fix Resolution: Pillow - 10.0.0
Step up your Open Source Security Game with Mend here
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl
Path to dependency file: /module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt
Path to vulnerable library: /module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-33503 | High | 7.5 | urllib3-1.25.3-py2.py3-none-any.whl | Direct | urllib3 - 1.26.5 | ❌ |
CVE-2020-7212 | High | 7.5 | urllib3-1.25.3-py2.py3-none-any.whl | Direct | urllib3 - 1.25.8 | ❌ |
CVE-2020-26137 | Medium | 6.5 | urllib3-1.25.3-py2.py3-none-any.whl | Direct | 1.25.9 | ❌ |
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl
Path to dependency file: /module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt
Path to vulnerable library: /module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Publish Date: 2021-06-29
URL: CVE-2021-33503
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q2q7-5pp4-w6pg
Release Date: 2021-06-29
Fix Resolution: urllib3 - 1.26.5
Step up your Open Source Security Game with Mend here
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl
Path to dependency file: /module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt
Path to vulnerable library: /module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).
Publish Date: 2020-03-06
URL: CVE-2020-7212
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hmv2-79q8-fv6g
Release Date: 2020-03-09
Fix Resolution: urllib3 - 1.25.8
Step up your Open Source Security Game with Mend here
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl
Path to dependency file: /module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt
Path to vulnerable library: /module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/extension-cpp-master/cuda,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/wombopy-main
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Publish Date: 2020-09-30
URL: CVE-2020-26137
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
Release Date: 2020-09-30
Fix Resolution: 1.25.9
Step up your Open Source Security Game with Mend here
Greetings from Mezidia Inspector!, you are the best, @AdamOswald!
Path to dependency file: /module/sprites-as-a-service-0.5.0/frontend/package.json
Path to vulnerable library: /module/sprites-as-a-service-0.5.0/frontend/node_modules/loader-utils/package.json
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-37601 | High | 9.8 | loader-utils-1.4.0.tgz | Transitive | N/A | ❌ |
CVE-2020-28469 | High | 7.5 | glob-parent-3.1.0.tgz | Transitive | N/A | ❌ |
CVE-2022-37599 | High | 7.5 | detected in multiple dependencies | Transitive | N/A | ❌ |
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /module/sprites-as-a-service-0.5.0/frontend/package.json
Path to vulnerable library: /module/sprites-as-a-service-0.5.0/frontend/node_modules/vue-loader/node_modules/loader-utils/package.json,/module/sprites-as-a-service-0.5.0/frontend/node_modules/postcss-loader/node_modules/loader-utils/package.json,/module/sprites-as-a-service-0.5.0/frontend/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json,/module/sprites-as-a-service-0.5.0/frontend/node_modules/webpack/node_modules/loader-utils/package.json,/module/sprites-as-a-service-0.5.0/frontend/node_modules/cache-loader/node_modules/loader-utils/package.json,/module/sprites-as-a-service-0.5.0/frontend/node_modules/vue-style-loader/node_modules/loader-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-10-12
Fix Resolution: loader-utils - v2.0.0
Step up your Open Source Security Game with Mend here
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /module/sprites-as-a-service-0.5.0/frontend/package.json
Path to vulnerable library: /module/sprites-as-a-service-0.5.0/frontend/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with Mend here
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /module/sprites-as-a-service-0.5.0/frontend/package.json
Path to vulnerable library: /module/sprites-as-a-service-0.5.0/frontend/node_modules/vue-loader/node_modules/loader-utils/package.json,/module/sprites-as-a-service-0.5.0/frontend/node_modules/postcss-loader/node_modules/loader-utils/package.json,/module/sprites-as-a-service-0.5.0/frontend/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json,/module/sprites-as-a-service-0.5.0/frontend/node_modules/webpack/node_modules/loader-utils/package.json,/module/sprites-as-a-service-0.5.0/frontend/node_modules/cache-loader/node_modules/loader-utils/package.json,/module/sprites-as-a-service-0.5.0/frontend/node_modules/vue-style-loader/node_modules/loader-utils/package.json
Dependency Hierarchy:
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz
Path to dependency file: /module/sprites-as-a-service-0.5.0/frontend/package.json
Path to vulnerable library: /module/sprites-as-a-service-0.5.0/frontend/node_modules/loader-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: 2022-10-11
URL: CVE-2022-37599
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Groovy: A powerful, dynamic language for the JVM
Path to dependency file: /module/setup-java-3.5.0/__tests__/cache/gradle/build.gradle
Path to vulnerable library: /r/.gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy/1.8.6/553ca93e0407c94c89b058c482a404427ac7fc72/groovy-1.8.6.jar
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2016-6814 | High | 9.8 | groovy-1.8.6.jar | Direct | 2.4.8 | ❌ |
CVE-2015-3253 | Medium | 5.6 | groovy-1.8.6.jar | Direct | 2.4.4 | ❌ |
Groovy: A powerful, dynamic language for the JVM
Path to dependency file: /module/setup-java-3.5.0/__tests__/cache/gradle/build.gradle
Path to vulnerable library: /r/.gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy/1.8.6/553ca93e0407c94c89b058c482a404427ac7fc72/groovy-1.8.6.jar
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
Publish Date: 2018-01-18
URL: CVE-2016-6814
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814
Release Date: 2018-01-18
Fix Resolution: 2.4.8
Step up your Open Source Security Game with Mend here
Groovy: A powerful, dynamic language for the JVM
Path to dependency file: /module/setup-java-3.5.0/__tests__/cache/gradle/build.gradle
Path to vulnerable library: /r/.gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy/1.8.6/553ca93e0407c94c89b058c482a404427ac7fc72/groovy-1.8.6.jar
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.
Publish Date: 2015-08-13
URL: CVE-2015-3253
Base Score Metrics:
Type: Upgrade version
Origin: http://groovy-lang.org/security.html
Release Date: 2015-08-13
Fix Resolution: 2.4.4
Step up your Open Source Security Game with Mend here
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/37/2e/f56602beda25b376bbaaeadb626cf212b673457075ffed0dd12969ad6014/starlette-0.13.2-py3-none-any.whl
Path to dependency file: /module/sprites-as-a-service-0.5.0/backend/requirements.txt
Path to vulnerable library: /module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/runx-0.0.5
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
WS-2020-0300 | High | 7.5 | starlette-0.13.2-py3-none-any.whl | Direct | starlette - 0.13.5 | ❌ |
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/37/2e/f56602beda25b376bbaaeadb626cf212b673457075ffed0dd12969ad6014/starlette-0.13.2-py3-none-any.whl
Path to dependency file: /module/sprites-as-a-service-0.5.0/backend/requirements.txt
Path to vulnerable library: /module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/runx-0.0.5
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Path Traversal vulnerability was found in starlette before 0.13.5. The vulnerability allows a remote attacker to perform directory traversal attacks. The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Publish Date: 2020-06-23
URL: WS-2020-0300
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-06-23
Fix Resolution: starlette - 0.13.5
Step up your Open Source Security Game with Mend here
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-RZUGWE-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-RZUGWE-requirements.txt
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in (adabound version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-45907 | High | 9.8 | torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/7a/fb/b1b11ae95ffa7099ca2e60ed5945e56130cc8740208f42aa77f17e03ab3c/torch-1.13.0-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /SwapNet-jwyang-roi-version/.ws-temp-RZUGWE-requirements.txt
Path to vulnerable library: /SwapNet-jwyang-roi-version/.ws-temp-RZUGWE-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.
Publish Date: 2022-11-26
URL: CVE-2022-45907
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/d2/f4/274d1dbe96b41cf4e0efb70cbced278ffd61b5c7bb70338b62af94ccb25b/requests-2.28.2-py3-none-any.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/requirements.txt,/docs/sphinx_requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in (requests version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-32681 | Medium | 6.1 | requests-2.28.2-py3-none-any.whl | Direct | 2.32.0 | ❌ |
CVE-2024-35195 | Medium | 5.6 | requests-2.28.2-py3-none-any.whl | Direct | requests - 2.32.2 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/d2/f4/274d1dbe96b41cf4e0efb70cbced278ffd61b5c7bb70338b62af94ccb25b/requests-2.28.2-py3-none-any.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/requirements.txt,/docs/sphinx_requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuild_proxies
to reattach the Proxy-Authorization
header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization
header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
Publish Date: 2023-05-26
URL: CVE-2023-32681
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-j8r2-6x86-q33q
Release Date: 2023-05-26
Fix Resolution: 2.32.0
Step up your Open Source Security Game with Mend here
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/d2/f4/274d1dbe96b41cf4e0efb70cbced278ffd61b5c7bb70338b62af94ccb25b/requests-2.28.2-py3-none-any.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/requirements.txt,/docs/sphinx_requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Requests is a HTTP library. Prior to 2.32.2, when making requests through a Requests Session
, if the first request is made with verify=False
to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of verify
. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.2.
Publish Date: 2024-05-20
URL: CVE-2024-35195
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9wx4-h78v-vm56
Release Date: 2024-05-20
Fix Resolution: requests - 2.32.2
Step up your Open Source Security Game with Mend here
Path to dependency file: /module/WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-0820 | High | 7.5 | system.text.regularexpressions.4.3.0.nupkg | Transitive | N/A | ❌ |
WS-2022-0161 | High | 7.5 | newtonsoft.json.10.0.3.nupkg | Transitive | N/A | ❌ |
CVE-2018-8292 | Medium | 5.3 | system.net.http.4.3.0.nupkg | Transitive | N/A | ❌ |
Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...
Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg
Path to dependency file: /module/WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.
Publish Date: 2019-05-16
URL: CVE-2019-0820
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cmhx-cq75-c4mj
Release Date: 2019-05-16
Fix Resolution: System.Text.RegularExpressions - 4.3.1
Step up your Open Source Security Game with Mend here
Json.NET is a popular high-performance JSON framework for .NET
Library home page: https://api.nuget.org/packages/newtonsoft.json.10.0.3.nupkg
Path to dependency file: /module/WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/newtonsoft.json/10.0.3/newtonsoft.json.10.0.3.nupkg
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Improper Handling of Exceptional Conditions in Newtonsoft.Json.
Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of StackOverFlow exception (SOE) whenever nested expressions are being processed. Exploiting this vulnerability results in Denial Of Service (DoS), and it is exploitable when an attacker sends 5 requests that cause SOE in time frame of 5 minutes. This vulnerability affects Internet Information Services (IIS) Applications.
Publish Date: 2022-06-22
URL: WS-2022-0161
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-06-22
Fix Resolution: Newtonsoft.Json - 13.0.1;Microsoft.Extensions.ApiDescription.Server - 6.0.0
Step up your Open Source Security Game with Mend here
Provides a programming interface for modern HTTP applications, including HTTP client components that...
Library home page: https://api.nuget.org/packages/system.net.http.4.3.0.nupkg
Path to dependency file: /module/WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.0/system.net.http.4.3.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.
Publish Date: 2018-10-10
URL: CVE-2018-8292
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-10-10
Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1
Step up your Open Source Security Game with Mend here
An implementation of the WebSocket Protocol (RFC 6455 & 7692)
Library home page: https://files.pythonhosted.org/packages/5a/0b/3ebc752392a368af14dd24ee041683416ac6d2463eead94b311b11e41c82/websockets-8.1-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /module/runx-0.0.5
Path to vulnerable library: /module/runx-0.0.5
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-33880 | Medium | 5.9 | websockets-8.1-cp37-cp37m-manylinux2010_x86_64.whl | Direct | websockets - 9.1 | ❌ |
An implementation of the WebSocket Protocol (RFC 6455 & 7692)
Library home page: https://files.pythonhosted.org/packages/5a/0b/3ebc752392a368af14dd24ee041683416ac6d2463eead94b311b11e41c82/websockets-8.1-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /module/runx-0.0.5
Path to vulnerable library: /module/runx-0.0.5
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.
Publish Date: 2021-06-06
URL: CVE-2021-33880
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33880
Release Date: 2021-06-06
Fix Resolution: websockets - 9.1
Step up your Open Source Security Game with Mend here
NumPy is the fundamental package for array computing with Python.
Path to dependency file: /module/dalle-mini-0.1.1
Path to vulnerable library: /module/dalle-mini-0.1.1,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/PRNet-master/requirements.txt,/module/_tests_requirements.txt,/module/runx-0.0.5/requirements.txt,/module/openai-python-0.22.1,/docs/sphinx_requirements.txt,/requirements.txt,/docs/sphinx_requirements.txt,/module/Jupyter-master/requirements.txt,/module/DALLE2-pytorch-1.10.6,/module/MM-RealSR-1.0.0/requirements.txt,/module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/extension-cpp-master/requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face,/module,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/requirements.txt,/module/wombopy-main,/module/runx-0.0.5/requirements.txt,/module/MM-RealSR-1.0.0/requirements.txt,/requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/Jupyter-master/requirements.txt,/module/openai-python-0.22.1/public,/module/extension-cpp-master/cpp,/module/Bobber-6.3.1,/module/PRNet-master/requirements.txt,/module/imagen-pytorch-1.11.12,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/runx-0.0.5,/module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/extension-cpp-master/cuda,/module/paperspace-python-0.2.0,/module/PRNet-master/requirements.txt,/module/MM-RealSR-1.0.0
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-34141 | Medium | 5.3 | numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Direct | numpy - 1.22.0 | ❌ |
NumPy is the fundamental package for array computing with Python.
Path to dependency file: /module/dalle-mini-0.1.1
Path to vulnerable library: /module/dalle-mini-0.1.1,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/PRNet-master/requirements.txt,/module/_tests_requirements.txt,/module/runx-0.0.5/requirements.txt,/module/openai-python-0.22.1,/docs/sphinx_requirements.txt,/requirements.txt,/docs/sphinx_requirements.txt,/module/Jupyter-master/requirements.txt,/module/DALLE2-pytorch-1.10.6,/module/MM-RealSR-1.0.0/requirements.txt,/module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/extension-cpp-master/requirements.txt,/PRNet-master/requirements.txt,/tmp/ws-scm/face,/module,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/requirements.txt,/module/wombopy-main,/module/runx-0.0.5/requirements.txt,/module/MM-RealSR-1.0.0/requirements.txt,/requirements.txt,/SwapNet-jwyang-roi-version/.ws-temp-INQNDT-requirements.txt,/module/Jupyter-master/requirements.txt,/module/openai-python-0.22.1/public,/module/extension-cpp-master/cpp,/module/Bobber-6.3.1,/module/PRNet-master/requirements.txt,/module/imagen-pytorch-1.11.12,/module/SwapNet-jwyang-roi-version/.ws-temp-THANSD-requirements.txt,/module/runx-0.0.5,/module/sprites-as-a-service-0.5.0/backend/requirements.txt,/module/extension-cpp-master/cuda,/module/paperspace-python-0.2.0,/module/PRNet-master/requirements.txt,/module/MM-RealSR-1.0.0
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141
Publish Date: 2021-12-17
URL: CVE-2021-34141
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
Release Date: 2021-12-17
Fix Resolution: numpy - 1.22.0
Step up your Open Source Security Game with Mend here
Python Imaging Library (Fork)
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/docs/sphinx_requirements.txt,/tmp/ws-scm/face
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in (Pillow version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-45198 | High | 7.5 | Pillow-9.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | Pillow - 9.2.0 | ❌ |
CVE-2022-45199 | High | 7.5 | Pillow-9.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | Pillow - 9.3.0 | ❌ |
Python Imaging Library (Fork)
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).
Publish Date: 2022-11-14
URL: CVE-2022-45198
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-11-14
Fix Resolution: Pillow - 9.2.0
Step up your Open Source Security Game with Mend here
Python Imaging Library (Fork)
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.
Publish Date: 2022-11-14
URL: CVE-2022-45199
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-11-14
Fix Resolution: Pillow - 9.3.0
Step up your Open Source Security Game with Mend here
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/c9/b8/27c526c45f482450a53c0faab6c0c4baf9cddee0a8f879a8526f7dd8adf0/Pillow-9.3.0-cp37-cp37m-manylinux_2_28_x86_64.whl
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/docs/sphinx_requirements.txt,/requirements.txt,/docs/sphinx_requirements.txt
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in (Pillow version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-50447 | High | 8.1 | Pillow-9.3.0-cp37-cp37m-manylinux_2_28_x86_64.whl | Direct | pillow - 10.2.0 | ❌ |
CVE-2023-44271 | High | 7.5 | Pillow-9.3.0-cp37-cp37m-manylinux_2_28_x86_64.whl | Direct | Pillow - 10.0.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/c9/b8/27c526c45f482450a53c0faab6c0c4baf9cddee0a8f879a8526f7dd8adf0/Pillow-9.3.0-cp37-cp37m-manylinux_2_28_x86_64.whl
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/docs/sphinx_requirements.txt,/requirements.txt,/docs/sphinx_requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
Publish Date: 2024-01-19
URL: CVE-2023-50447
Base Score Metrics:
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2024/01/20/1
Release Date: 2024-01-19
Fix Resolution: pillow - 10.2.0
Step up your Open Source Security Game with Mend here
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/c9/b8/27c526c45f482450a53c0faab6c0c4baf9cddee0a8f879a8526f7dd8adf0/Pillow-9.3.0-cp37-cp37m-manylinux_2_28_x86_64.whl
Path to dependency file: /tmp/ws-scm/face
Path to vulnerable library: /tmp/ws-scm/face,/docs/sphinx_requirements.txt,/requirements.txt,/docs/sphinx_requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
Publish Date: 2023-11-03
URL: CVE-2023-44271
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-11-03
Fix Resolution: Pillow - 10.0.0
Step up your Open Source Security Game with Mend here
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-43138 | High | 7.8 | async-1.5.2.tgz | Direct | 2.6.4 | ❌ |
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution: 2.6.4
Step up your Open Source Security Game with Mend here
Path to dependency file: /module/WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-1941 | High | 7.5 | google.protobuf.3.19.4.nupkg | Transitive | N/A | ❌ |
C# runtime library for Protocol Buffers - Google's data interchange format.
Library home page: https://api.nuget.org/packages/google.protobuf.3.19.4.nupkg
Path to dependency file: /module/WhoML-main/MLNet/MattEland.ML.WhoML/MattEland.ML.TimeAndSpace.Core/MattEland.ML.TimeAndSpace.Core.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.19.4/google.protobuf.3.19.4.nupkg
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: 2022-09-22
URL: CVE-2022-1941
Base Score Metrics:
Type: Upgrade version
Origin: https://cloud.google.com/support/bulletins#GCP-2022-019
Release Date: 2022-09-22
Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6
Step up your Open Source Security Game with Mend here
PyTorch is an optimized tensor library for deep learning using GPUs and CPUs.
Library home page: https://api.anaconda.org/download/main/pytorch/1.2.0/linux-64/pytorch-1.2.0-cuda92py37hd3e106c_0.tar.bz2
Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/pytorch-1.2.0-py3.7_cuda10.0.130_cudnn7.6.2_0.tar.bz2,/r/anaconda3/pkgs/pytorch-1.2.0-py3.7_cuda10.0.130_cudnn7.6.2_0.tar.bz2
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in (pytorch version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-45907 | High | 9.8 | pytorch-1.2.0-cuda92py37hd3e106c_0.tar.bz2 | Direct | N/A | ❌ |
PyTorch is an optimized tensor library for deep learning using GPUs and CPUs.
Library home page: https://api.anaconda.org/download/main/pytorch/1.2.0/linux-64/pytorch-1.2.0-cuda92py37hd3e106c_0.tar.bz2
Path to dependency file: /SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/pytorch-1.2.0-py3.7_cuda10.0.130_cudnn7.6.2_0.tar.bz2,/r/anaconda3/pkgs/pytorch-1.2.0-py3.7_cuda10.0.130_cudnn7.6.2_0.tar.bz2
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.
Publish Date: 2022-11-26
URL: CVE-2022-45907
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Python library for arbitrary-precision floating-point arithmetic
Library home page: https://files.pythonhosted.org/packages/d4/cf/3965bddbb4f1a61c49aacae0e78fd1fe36b5dc36c797b31f30cf07dcbbb7/mpmath-1.2.1-py3-none-any.whl
Path to dependency file: /module/requirements.txt
Path to vulnerable library: /module/requirements.txt,/module
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-29063 | High | 7.5 | mpmath-1.2.1-py3-none-any.whl | Direct | N/A | ❌ |
Python library for arbitrary-precision floating-point arithmetic
Library home page: https://files.pythonhosted.org/packages/d4/cf/3965bddbb4f1a61c49aacae0e78fd1fe36b5dc36c797b31f30cf07dcbbb7/mpmath-1.2.1-py3-none-any.whl
Path to dependency file: /module/requirements.txt
Path to vulnerable library: /module/requirements.txt,/module
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Mpmath v1.0.0 through v1.2.1 when the mpmathify function is called.
Mend Note: After conducting further research, Mend has determined that all versions of mpmath through 1.2.1 are vulnerable to CVE-2021-29063.
Publish Date: 2021-06-21
URL: CVE-2021-29063
Base Score Metrics:
Step up your Open Source Security Game with Mend here
library with cross-python path, ini-parsing, io, code, log facilities
Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl
Path to dependency file: /module/_tests_requirements.txt
Path to vulnerable library: /module/_tests_requirements.txt,/module/wombopy-main/requirements.txt,/module,/module/requirements.txt
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-42969 | High | 7.5 | py-1.11.0-py2.py3-none-any.whl | Direct | py - 1.5.0 | ❌ |
library with cross-python path, ini-parsing, io, code, log facilities
Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl
Path to dependency file: /module/_tests_requirements.txt
Path to vulnerable library: /module/_tests_requirements.txt,/module/wombopy-main/requirements.txt,/module,/module/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
Publish Date: 2022-10-16
URL: CVE-2022-42969
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-42969
Release Date: 2022-10-16
Fix Resolution: py - 1.5.0
Step up your Open Source Security Game with Mend here
Path to vulnerable library: /module/sprites-as-a-service-0.5.0/frontend/node_modules/nth-check/package.json
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-3803 | High | 7.5 | nth-check-1.0.2.tgz | Transitive | 12.3.0 | ❌ |
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /module/sprites-as-a-service-0.5.0/frontend/package.json
Path to vulnerable library: /module/sprites-as-a-service-0.5.0/frontend/node_modules/nth-check/package.json
Dependency Hierarchy:
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-09-17
Fix Resolution (nth-check): 2.0.1
Direct dependency fix Resolution (react-native-svg): 12.3.0
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.