AI Sec Watch

TensorFlow, an open source machine learning platform, had a vulnerability in versions before 2.12.0 and 2.11.1 where a null pointer dereference (a crash caused by trying to use a memory location that doesn't exist) could occur in the Lookup function when a certain pointer was null. This weakness is classified as CWE-476 (NULL Pointer Dereference).

TensorFlow, an open source machine learning platform, has a vulnerability in versions before 2.12.0 and 2.11.1 involving integer overflow (a math error where a number gets too large and wraps around) in the EditDistance function. This bug could potentially cause unexpected behavior or crashes in machine learning programs using affected versions.

TensorFlow, an open source platform for machine learning, has a bug in its `tf.raw_ops.Print` function that causes a seg fault (a crash where the program tries to access memory it shouldn't) when the `summarize` parameter is set to zero. The bug happens because the code tries to use a nullptr (a reference to nothing instead of valid data).

TensorFlow, an open source machine learning platform, had a vulnerability where mismatched parameters in the `DynamicStitch` function could cause a stack OOB read (out-of-bounds read, where a program accesses memory it shouldn't). This flaw affected versions before 2.12.0 and 2.11.1.

TensorFlow, an open source platform for machine learning, had an out of bounds read vulnerability (a bug where code tries to access memory it shouldn't) in a component called GRUBlockCellGrad before versions 2.12.0 and 2.11.1. This vulnerability could potentially allow attackers to read sensitive data or crash the system.

CVE-2023-1177 is a path traversal vulnerability (a flaw where an attacker can access files outside the intended directory by using special characters like '..') in MLflow versions before 2.2.1. This weakness allows attackers to potentially read or access files they shouldn't be able to reach on the system.

CVE-2023-1176 is an absolute path traversal vulnerability (a bug where an attacker can access files anywhere on a system by using file paths that start from the root directory) found in MLflow, an open-source platform for managing machine learning experiments, affecting versions before 2.2.2. The vulnerability was discovered and reported through the huntr.dev bug bounty program.

Streamlit, software that converts data scripts into web applications, had a cross-site scripting vulnerability (XSS, where an attacker injects malicious code that runs in a user's browser) in versions 0.63.0 through 0.80.0. An attacker could craft a malicious URL containing JavaScript code, trick a user into clicking it, and the Streamlit server would execute that code in the victim's browser.

Yolo is a tool that uses ChatGPT API (OpenAI's language model accessed through code) to translate natural language questions into shell commands (the text-based interface for controlling a computer) that can be executed automatically. The tool helps users who forget command syntax by converting plain English requests into proper bash, zsh, or PowerShell commands, with a safety feature that shows the command before running it unless the user enables automatic execution.