AI Sec Watch

TensorFlow's `GatherNd` function (a tool that retrieves values from arrays based on index locations) has a vulnerability where it can read memory it shouldn't access if certain input sizes are too large. This happens because the function doesn't properly check if inputs exceed the expected output sizes, potentially exposing sensitive data or crashing the system.

TensorFlow (an open source platform for machine learning) has a bug in SobolSampleOp that crashes the program when it receives unexpected input types, because the code assumes certain inputs will be scalars (single values rather than arrays). This denial of service vulnerability has been fixed and will be released in upcoming versions.

TensorFlow's tf.reshape operation (a function that changes a tensor's shape without altering its data) has a vulnerability that allows attackers to crash the program by causing an integer overflow (when a number exceeds the maximum value a system can store), triggering a denial of service attack (making the service unavailable). The issue affects multiple versions of TensorFlow and has been patched.

Running pip download (a Python command that downloads packages without installing them) can execute malicious code on your computer due to a design flaw, even though many people assume only pip install poses a security risk. This vulnerability allows attackers to run arbitrary code (commands of their choice) simply by downloading a compromised package.

Pickle files (Python's serialization format for saving objects) can be backdoored because they execute code through opcodes (instructions that control a virtual machine). Attackers can inject malicious commands into pickle files using tools like fickling, and when someone loads the file, the hidden code runs without interrupting the program's normal function. This is especially dangerous in shared environments like Google Colab, where an infected pickle file could give attackers access to a user's connected Google Drive.

Streamlit, a Python framework for building data applications, has a directory traversal vulnerability (a type of attack where an attacker uses specially crafted file paths to access files they shouldn't be able to reach) in versions before 1.11.1. An attacker could trick the Streamlit server into reading and returning sensitive files from the server's file system, such as logs or other confidential information.

CVE-2020-25459 is a vulnerability in WeBank FATE (Federated AI Technology Enabler, a system for training machine learning models across multiple parties) versions 0.1 through 1.4.2 that allows attackers to read sensitive information during the training process. The issue exists in a function called sync_tree in the hetero_decision_tree_guest.py file, which means attackers could access private data while the model is being trained.

TensorFlow's `saved_model_cli` tool (a utility for working with saved machine learning models) had a code injection vulnerability in versions before 2.9.0, 2.8.1, 2.7.2, and 2.6.4, which could allow an attacker to open a reverse shell (a backdoor connection giving remote control of a system). The vulnerability existed because the tool used `eval` (a function that executes text as code) on user input for compatibility with older test cases, but since the tool requires manual operation, the practical risk was limited.

TensorFlow, an open source platform for machine learning, had a bug in two signal processing functions (`tf.compat.v1.signal.rfft2d` and `tf.compat.v1.signal.rfft3d`) where missing input validation (checking that data meets expected requirements before processing) could cause the software to crash under certain conditions. The bug was fixed in versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4.