All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
A vulnerability in Oracle Java SE and GraalVM Enterprise Edition's JAXP component (a part of Java that handles XML processing) allows an attacker on a network to read some data they shouldn't be able to access without needing to log in. This mainly affects Java programs that run downloaded code from the internet in a sandbox (a restricted environment meant to contain untrusted code), and it has a CVSS score (a 0-10 severity rating) of 5.3.
Log4Shell is a critical vulnerability in Apache's log4j library (a widely-used Java logging tool) that allows remote code execution (running commands on a system from afar) through its Java Naming and Directory Interface support. The vulnerability is particularly dangerous because log4j is used in many Java applications and is easy to exploit. The source mentions that patches were released to fix the issue, though it also notes that bypasses to those patches were discovered, leading to additional patches.
pytorch-lightning (a popular machine learning library) contains a vulnerability related to deserialization of untrusted data (CWE-502, where a program unsafely processes data from an untrusted source, potentially allowing an attacker to run malicious code). The vulnerability was identified and reported through the huntr.dev bug bounty program.
Sockeye, an open-source tool for Neural Machine Translation (a type of AI that translates text between languages), had a security flaw in versions before 2.3.24 where it used unsafe YAML loading (a method to read configuration files without proper safety checks). An attacker could hide malicious code in a model's configuration file, and if a user downloaded and ran that model, the hidden code would execute on their computer.
Aim is an open-source tool for tracking machine learning experiments. Versions before 3.1.0 have a path traversal vulnerability (a type of attack where special sequences like '../' are used to access files outside the intended directory), which could allow attackers to read sensitive files like source code, configuration files, or system files on the server.
This is a video resource about how security breaches happen, covering the step-by-step process attackers use to compromise systems. The content is from WUNDERWUZZI and is intended for educational purposes to help people understand attack methods and how to defend against them.
TensorFlow's `saved_model_cli` tool (a command-line utility for working with machine learning models) has a code injection vulnerability because it runs `eval` on user-supplied strings, which could allow attackers to execute arbitrary code on the system. The risk is limited since the tool is only run manually by users, not automatically.
TensorFlow (an open source machine learning platform) has a vulnerability in the `ImmutableConst` operation that allows attackers to read arbitrary memory contents. The issue occurs because the operation doesn't properly handle a special type of string called `tstring` that can reference memory-mapped data.
TensorFlow's Grappler optimizer (the part of TensorFlow that improves how machine learning models run) has a bug where a variable called `dequeue_node` is never initialized if a saved model doesn't contain a specific type of operation called a `Dequeue` node. This uninitialized variable could cause the optimizer to behave unpredictably or crash.
TensorFlow, an open source platform for machine learning, has a vulnerability in the `SplitV` function where supplying negative arguments can cause a segfault (a crash from accessing invalid memory). The crash happens when the `size_splits` parameter contains multiple values with at least one being negative.
TensorFlow (an open source machine learning platform) has a vulnerability where shape inference code for certain operations can be tricked into accessing invalid memory through a heap buffer overflow (where a program writes data beyond the allocated memory space). This happens because the code doesn't verify that certain input parameters have the correct structure before using them.
TensorFlow, an open source platform for machine learning, had a memory leak and use-after-free bug (a mistake where the program tries to access data after it has already been deleted) in its `CollectiveReduceV2` function due to improper handling of asynchronous operations. The vulnerability was caused by objects being moved from memory while still being accessed elsewhere in the code.
TensorFlow (an open source platform for machine learning) contains a vulnerability in its shape inference function for the `Transpose` operation where negative values in the `perm` parameter can cause a heap buffer overflow (writing data outside the intended memory boundaries). The issue stems from insufficient validation of the indices in `perm` before they are processed.
TensorFlow, an open source machine learning platform, has a vulnerability in its `tf.function` API (a feature that converts Python functions into optimized operations) where mutually recursive functions (functions that call each other back and forth) can cause a deadlock using a non-reentrant Lock (a mechanism that prevents simultaneous access but doesn't allow the same thread to re-enter it). An attacker could cause a denial of service by tricking users into loading vulnerable models, though this scenario is uncommon.
TensorFlow, an open source machine learning platform, has a bug in its shape inference code for the `AllToAll` function that causes a division by zero error (when a value is divided by 0, causing the program to crash) whenever the `split_count` argument is set to 0. This vulnerability could allow an attacker to crash or disrupt a TensorFlow application.
TensorFlow (an open source platform for machine learning) has a bug where its convolution operators (mathematical functions that process data in neural networks) crash with a division by zero error when given empty filter tensors (arrays of parameters). This vulnerability affects multiple versions of TensorFlow.
TensorFlow's boosted trees code (a machine learning feature for building multiple decision trees together) lacks proper input validation, allowing attackers to crash the system (denial of service, where a service becomes unavailable), read sensitive data from memory, or write malicious data to memory buffers. The TensorFlow developers recommend stopping use of these APIs since the boosted trees code is no longer actively maintained.
TensorFlow, an open source platform for machine learning, has a vulnerability in its `ParallelConcat` function that lacks proper input validation and can cause a division by zero error (a crash caused by dividing a number by zero). The affected versions have known fixes available through updates to TensorFlow 2.7.0 and earlier supported versions.
TensorFlow, a machine learning platform, has a vulnerability (CVE-2021-41206) where certain operations don't properly check the size and dimensions of tensor arguments (the numerical arrays that machine learning models process). This missing validation can cause crashes, memory corruption (reads and writes to unintended memory locations), or other undefined behavior depending on which operation is affected.
Fix: Patches were released to address the vulnerability. The source notes that when bypasses to initial patches were discovered, additional patches were subsequently released.
Embrace The RedFix: A patch is available in the pytorch-lightning repository at commit 62f1e82e032eb16565e676d39e0db0cac7e34ace. Users should update to this patched version to fix the deserialization vulnerability.
NVD/CVE DatabaseGradio, a framework for building interactive machine learning demos, had a vulnerability in versions before 2.5.0 where users could read any file on the host computer if they knew the file path, since file access wasn't restricted (though files could only be opened in read-only mode). This meant anyone with a link to a Gradio interface could potentially access sensitive files on the server.
Fix: Update to Gradio version 2.5.0 or later, where the vulnerability has been patched.
NVD/CVE DatabaseFix: The issue is fixed in version 2.3.24. Users should update to this version or later.
NVD/CVE DatabaseFix: Upgrade to Aim v3.1.0, where the vulnerability is resolved.
NVD/CVE DatabaseFix: The developers patched this by adding a `safe` flag that defaults to `True` and an explicit warning for users. The fix is included in TensorFlow 2.7.0, and will also be backported (applied to older versions still being supported) to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. The patch will also be backported (applied to older supported versions) in TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseFix: Update to TensorFlow 2.7.0 or later. If you need to stay on earlier versions, update to TensorFlow 2.6.1, 2.5.2, or 2.4.4, which will include the fix through a cherrypick (backport of the specific fix to older versions).
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. The patch will also be backported to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, which are still in the supported range. Users can reference the specific commit at https://github.com/tensorflow/tensorflow/commit/25d622ffc432acc736b14ca3904177579e733cc6.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. The patch will also be backported (adapted and released) for TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.7.0, and the patch was also backported to TensorFlow 2.6.1, which was the only other affected version.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. Users of affected versions should upgrade to TensorFlow 2.7.0 or the patched versions: TensorFlow 2.6.1, TensorFlow 2.5.2, or TensorFlow 2.4.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. The fix will also be backported (applied to older supported versions) to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.7.0. For users on earlier versions still receiving support, the patch will also be applied to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4. Users should update to one of these patched versions.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.7.0 and has also been backported to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. Security patches will also be backported to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseFix: Update to TensorFlow 2.7.0. For users on earlier versions still in the supported range, apply patches for TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4. The fix is available in the commit: https://github.com/tensorflow/tensorflow/commit/f2c3931113eaafe9ef558faaddd48e00a6606235
NVD/CVE DatabaseFix: The fixes will be included in TensorFlow 2.7.0. Patches will also be backported to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE Database