All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
The EU AI Act requires technical standards to be written by European standardization organizations (CEN and CENELEC) that explain how companies can safely build high-risk AI systems. These standards follow a six-step approval process and, once published and approved by the European Commission, become 'harmonized and cited standards' that legally presume compliance with safety regulations if companies follow them. The drafting process is currently ongoing but behind schedule, with different standards at different completion stages.
TensorFlow, an open source platform for machine learning, has a bug in the MakeGrapplerFunctionItem function where providing inputs larger than or equal to the output sizes causes an out-of-bounds memory read (reading data from memory locations the program shouldn't access) or a crash. The issue has been patched and will be included in TensorFlow 2.11.0 as well as backported to earlier versions.
TensorFlow, an open source machine learning platform, has a bug in its MakeGrapplerFunctionItem function where providing input sizes that are greater than or equal to output sizes causes an out-of-bounds memory read (accessing memory locations outside the intended range) or a crash. This vulnerability affects how TensorFlow processes data when sizes are mismatched.
PyTorch versions before trunk/89695 have a vulnerability in the torch.jit.annotations.parse_type_line function that can allow arbitrary code execution (running attacker-controlled commands on a system) because it uses eval unsafely (eval is a function that executes code from text input without proper safety checks).
Attackers are using a new phishing technique that exploits OAuth2 Device Authorization Grant (a protocol that lets devices log in by directing users to a website to authorize access) to trick users into granting them access to data, especially as organizations adopt passwordless authentication methods like hardware tokens. The attack begins when an attacker initiates a device code flow by sending a request to a service provider's device code endpoint, such as Microsoft's Azure AD (active directory, a system that manages user identities and permissions).
The article discusses security risks with Azure's AAD (Azure Active Directory, Microsoft's cloud identity service) when MFA (multi-factor authentication, an extra security check beyond passwords) is misconfigured. A common mistake is enforcing MFA only at the federated identity provider (an external service that handles logins) while leaving ROPC (Resource Owner Password Credentials, a method where users send passwords directly to get access tokens) enabled in AAD itself, which allows attackers to bypass MFA protections after gaining initial access.
TensorFlow, an open source platform for machine learning, has a bug where converting character data to boolean values can cause crashes because the conversion is undefined unless the character is exactly 0 or 1. This issue affects the process of printing tensors (multi-dimensional arrays of data used in machine learning).
TensorFlow (an open source machine learning platform) has a vulnerability where invalid input to a specific function causes a segfault (a crash where the program tries to access memory it shouldn't). The bug occurs when `tf.raw_ops.CompositeTensorVariantToComponents` receives an `encoded` parameter that is not a valid `CompositeTensorVariant` tensor (a data structure for machine learning computations).
TensorFlow, an open-source machine learning platform, has a vulnerability where passing a `token` input that is not UTF-8 encoded (a character encoding standard) causes the `tf.raw_ops.PyFunc` function to crash with a CHECK fail (a safety check that stops execution when something is wrong). This is a type of improper input validation weakness, meaning the function doesn't properly check whether its input is in the correct format before processing it.
TensorFlow, an open source machine learning platform, has a vulnerability in the `tf.raw_ops.ResizeNearestNeighborGrad` function where a large `size` input causes an integer overflow (a calculation error where a number becomes too big for its storage space). This bug allows an attacker to potentially crash the system or execute malicious code.
TensorFlow, an open source machine learning platform, has a bug where invalid input to the `SparseMatrixNNZ` function (a function that counts non-zero values in a sparse matrix, which is a matrix stored efficiently by only keeping non-zero elements) causes the program to crash with a CHECK fail (an assertion error, where the program stops because a required condition wasn't met). This vulnerability affects multiple versions of TensorFlow.
TensorFlow (an open source machine learning platform) has a security vulnerability in its FractionalMaxPool and FractionalAvgPool functions when given invalid pooling_ratio values. Attackers can exploit this to access heap memory (the computer's temporary storage area outside normal program control), potentially causing the system to crash or allowing remote code execution (running harmful commands on someone else's computer).
TensorFlow (an open source machine learning platform) has a bug where certain inputs with incorrect dimensions crash the SdcaOptimizer component due to a failed validation check. This happens when `dense_features` or `example_state_data` inputs don't have the expected 2D structure (rank 2, meaning a table with rows and columns).
TensorFlow, an open source machine learning platform, crashes when a function called `SparseFillEmptyRowsGrad` receives empty inputs instead of data. This happens because the code doesn't properly validate (check) what data it receives before trying to process it.
TensorFlow (an open-source machine learning platform) crashes when a function called `FractionMaxPoolGrad` receives oversized inputs for `row_pooling_sequence` and `col_pooling_sequence` parameters. This is caused by an out-of-bounds read (accessing memory locations outside the intended range), which allows the program to fail unexpectedly.
TensorFlow (an open-source platform for machine learning) has a vulnerability where a function called `ThreadUnsafeUnigramCandidateSampler` crashes if it receives an input value for `filterbank_channel_count` that exceeds the maximum allowed size. This is caused by improper input validation (failure to check that user-provided values are within acceptable limits).
TensorFlow, an open source machine learning platform, has a vulnerability where the `MirrorPadGrad` function crashes with a heap OOB error (out-of-bounds memory access, where the software tries to read memory it shouldn't) when given incorrectly sized input padding values. This bug allows attackers to potentially crash TensorFlow applications.
TensorFlow Lite's `CONV_3D_TRANSPOSE` operator (a component that flips and reorganizes 3D data during machine learning processing) had a bug where it incorrectly calculated memory addresses when adding bias values, potentially allowing an attacker to write data outside the intended memory area (buffer overflow, where data gets written beyond allocated boundaries). The vulnerability only affects users who employ TensorFlow's default kernel resolver in their interpreter.
TensorFlow, an open source machine learning platform, has a vulnerability in the `tf.raw_ops.TensorListResize` function where providing a nonscalar value (a value that isn't a single number) for the `size` input causes a CHECK fail, which can be exploited to trigger a denial of service attack (making the system crash or become unavailable).
Fix: The fix is available in GitHub commit a65411a1d69edfb16b25907ffb8f73556ce36bb7. Users should update to TensorFlow 2.11.0, or for earlier versions, update to 2.8.4, 2.9.3, or 2.10.1 where the patch has been backported.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit a65411a1d69edfb16b25907ffb8f73556ce36bb7. The fix is included in TensorFlow 2.11.0, and will also be included in TensorFlow 2.8.4, 2.9.3, and 2.10.1.
NVD/CVE DatabaseThis post demonstrates that ChatGPT can be prompted to roleplay as a Microsoft SQL Server (a database management system) and respond with realistic database commands and results, including creating databases, tables, inserting data, and writing stored procedures (reusable blocks of SQL code). The author shows that ChatGPT can understand user intent well enough to execute complex database operations like UPSERTs (operations that update existing records or insert new ones if they don't exist), even when given incomplete information.
Fix: The issue has been patched in GitHub commit `1be74370327`. The fix will be included in TensorFlow 2.11.0, and will also be applied to TensorFlow 2.10.1, TensorFlow 2.9.3, and TensorFlow 2.8.4.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and 660ce5a89eb6766834bdc303d2ab3902aef99d3d. The fix will be included in TensorFlow 2.11, and will also be backported to TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit 9f03a9d3bafe902c1e6beb105b2f24172f238645. The fix is included in TensorFlow 2.11, and will also be patched in TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.11 and has been backported to TensorFlow 2.10.1, 2.9.3, and 2.8.4. Users should update to one of these patched versions. The specific patch is available in GitHub commit 00c821af032ba9e5f5fa3fe14690c8d28a657624.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix is included in TensorFlow 2.11 and has been backported (adapted for older versions) to TensorFlow 2.10.1, 2.9.3, and 2.8.4.
NVD/CVE DatabaseFix: The vulnerability was patched in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0, and the patch will also be applied to TensorFlow 2.10.1.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.11. For users on earlier versions, the patch will also be available in TensorFlow 2.10.1, 2.9.3, and 2.8.4. The specific fix is referenced in GitHub commit 80ff197d03db2a70c6a111f97dcdacad1b0babfa.
NVD/CVE DatabaseFix: The fix is included in TensorFlow version 2.11. For users still on older supported versions, patches were also applied to TensorFlow 2.10.1, 2.9.3, and 2.8.4. Users should update to one of these patched versions. The specific patch commit is af4a6a3c8b95022c351edae94560acc61253a1b8 on GitHub.
NVD/CVE DatabaseFix: The patch is available in GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927. Users should upgrade to TensorFlow 2.11, or apply the patch to supported earlier versions: 2.10.1, 2.9.3, and 2.8.4.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.11. The patch has also been backported to TensorFlow 2.10.1, 2.9.3, and 2.8.4. Users should update to one of these versions or later.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.11 and has been backported (applied to older versions) in TensorFlow 2.10.1, 2.9.3, and 2.8.4. Users should update to one of these patched versions. The fix was committed in GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit 72c0bdcb25305b0b36842d746cc61d72658d2941. The fix will be included in TensorFlow 2.11, and will be backported to TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56. The fix is included in TensorFlow 2.11 and will be backported to TensorFlow 2.10.1, 2.9.3, and 2.8.4.
NVD/CVE Database