AI Sec Watch

TensorFlow, an open source platform for machine learning, had a vulnerability in the `tf.raw_ops.TensorSummaryV2` function that failed to properly validate (check the correctness of) input arguments before using them. This flaw could be exploited to cause a denial of service attack (making the system crash or become unavailable) by triggering a CHECK-failure (a forced program halt when an expected condition is not met).

TensorFlow, an open source machine learning platform, had a vulnerability in its `tf.raw_ops.DeleteSessionTensor` function (a specific operation within TensorFlow) that failed to properly check its input arguments before using them. This flaw could be exploited to cause a denial of service attack (making a system crash or become unavailable by sending specially crafted requests).

TensorFlow, an open source machine learning platform, had a vulnerability in the `tf.raw_ops.QuantizeAndDequantizeV4Grad` function where it did not fully validate input arguments before processing them. This bug could crash the system (a denial of service attack, where an attacker makes a service unavailable) in versions before 2.9.0, 2.8.1, 2.7.2, and 2.6.4.

TensorFlow, an open source machine learning platform, had a vulnerability in its `tf.raw_ops.GetSessionTensor` function (a command for retrieving tensor data from a session) where it did not properly validate input arguments, allowing attackers to crash the system through a denial of service attack (making software unavailable by overwhelming or breaking it). The vulnerability was fixed in TensorFlow versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4.

A vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition (a high-performance Java runtime) in the JAXP component (Java API for XML Processing, which handles XML data) allows an unauthenticated attacker to partially disable these systems over a network. The vulnerability affects specific versions of Java and can be exploited through untrusted code in web applications or through web services that supply data to the vulnerable APIs, with a severity rating of 5.3 out of 10.

GPT-3 (a large language model that generates realistic human-like text) could be misused by attackers to create convincing phishing attacks (fraudulent messages designed to trick people into revealing sensitive information). The post discusses this threat and mentions that organizations can take countermeasures to protect themselves, though specific details are not provided in the excerpt.

Gradio, a framework for building interactive machine learning demos, has a vulnerability in versions before 2.8.11 where its flagging feature (which saves data to CSV files) can be tricked into storing harmful commands in the file. If someone opens this CSV file in Excel or similar programs, those commands run automatically on their computer.

CVE-2022-0845 is a code injection vulnerability (a flaw where an attacker can insert and execute malicious code) in PyTorch Lightning, a machine learning framework, affecting versions before 1.6.0. The vulnerability stems from improper control over code generation, allowing attackers to run arbitrary code through the affected software.

MLflow, a machine learning platform, had an insecure temporary file vulnerability (CWE-377, a weakness where temporary files are created without proper security protections) in versions before 1.23.1. This vulnerability could potentially allow attackers to access or modify sensitive data stored in temporary files.