All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
TensorFlow has a vulnerability where the MatrixDiagPartOp function doesn't check if input data exists before reading from it, causing either a null pointer dereference (a crash from accessing memory that doesn't exist) or incorrect behavior that ignores most of the data. This happens when users don't provide valid padding values to this operation.
Fix: The issue was patched in GitHub commit 482da92095c4d48f8784b1f00dda4f81c28d2988. The fix is included in TensorFlow 2.6.0 and was also backported to TensorFlow 2.5.1, 2.4.3, and 2.3.4.
NVD/CVE DatabaseTensorFlow, a machine learning platform, has a vulnerability where attackers can crash the program or read memory they shouldn't access by providing incomplete or missing tensor names when restoring data. The bug happens because the code doesn't check if there are enough items in a list before trying to access them, leading to either a null pointer dereference (a crash from accessing invalid memory) or an out-of-bounds read (accessing memory outside the intended storage area).
A vulnerability in TensorFlow (a machine learning platform) allows attackers to crash the program by sending an invalid empty list to the `tf.raw_ops.RaggedTensorToTensor` function, which tries to access the first element without checking if the list is empty first, causing undefined behavior (unpredictable program actions). This is a null pointer dereference (attempting to use a memory location that contains no valid data).
TensorFlow, an open source platform for machine learning, has a vulnerability where passing invalid input to a specific function (tf.raw_ops.CompressElement) can cause a null pointer dereference (an error that occurs when code tries to access memory that hasn't been properly initialized). The bug happened because the code checked the size of a data buffer without first verifying that the buffer itself was valid.
TensorFlow (an open source machine learning platform) has a vulnerability where an attacker can crash the system by causing a floating point exception (a math error that stops the program) through specially crafted inputs to inplace operations (functions that modify data in place). The bug exists because the code uses the wrong logical operator, checking if either condition is true instead of checking if both are true.
TensorFlow, a machine learning platform, has a vulnerability where an attacker can crash the system through a floating point exception (a math error that occurs when dividing by zero) in the `tf.raw_ops.ResourceGather` function. The problem happens because the code divides by a value without first checking if that value is zero.
TensorFlow, an open source machine learning platform, has a vulnerability in the `tf.raw_ops.ResourceScatterDiv` function that causes a division by 0 error (attempting to divide by zero, which crashes programs). The problem exists because the code treats all division operations the same way without special handling for the case when the divisor is zero.
TensorFlow, an open-source machine learning platform, has a bug in the `tf.raw_ops.SparseReshape` function where it can crash with a division by zero error (dividing a number by zero). This happens because the code doesn't check if the target shape has any elements before dividing by it, allowing attackers to trigger this crash by providing specially crafted input.
TensorFlow, an open source platform for machine learning, has a vulnerability in its `tf.raw_ops.SparseDenseCwiseDiv` function where division by zero is not properly handled, causing the program to crash or behave unexpectedly. The vulnerability affects multiple older versions of TensorFlow that are still being supported.
Procdump is a tool that creates core dumps (snapshots of a program's memory) and can be installed on Linux systems, though it receives less attention from security professionals there than on Windows. An attacker with access to a Linux system can use procdump to dump the memory of running processes and search through them for sensitive information like passwords and credentials, as demonstrated in a scenario where an attacker extracts a password from a user's text editor process.
The Tutor LMS WordPress plugin before version 1.9.2 had a security flaw where the Summary field of Announcements was not properly escaped (cleaned of potentially harmful code before display). This allowed users with Tutor Instructor privileges to inject malicious scripts that would execute when other users viewed the Announcements list. If an admin viewed the list, the attacker could potentially gain admin-level access through a stored cross-site scripting attack (XSS, where harmful code is permanently saved and runs when the page loads).
CVE-2020-11511 is a privilege escalation vulnerability (where an attacker can gain higher access levels than they should have) in the LearnPress plugin for WordPress before version 3.2.6.9. Attackers can exploit the 'accept-to-be-teacher' action parameter to upgrade any user's account to LP Instructor status without proper authorization.
The Silver Searcher is a fast search tool designed for finding code and files quickly, with a focus on searching through source code. It offers built-in features that make it faster and more convenient than traditional tools like grep (a command-line search utility) and findstr.
Oracle Coherence (a data management tool in Oracle Fusion Middleware) has a serious vulnerability that allows an attacker on the network to take over the system without needing to log in, if they exploit it through T3 or IIOP (communication protocols). The vulnerability affects versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, and has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 8.1, indicating it is a high-severity risk.
Oracle Coherence, a data management product in Oracle Fusion Middleware, has a vulnerability that allows attackers without authentication to crash the system through network protocols called T3 and IIOP (inter-process communication protocols). This vulnerability affects multiple versions of the product and has a severity rating of 7.5 out of 10, meaning it could cause significant service disruptions.
Oracle Coherence, a data management product in Oracle Fusion Middleware, has a vulnerability (CVE-2021-2344) that allows attackers on a network to crash or hang the system without needing to log in, affecting versions 3.7.1.0 through 14.1.1.0.0. The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 7.5, meaning it is moderately serious. Attackers can exploit this through T3 and IIOP (network communication protocols) connections to cause a denial of service (DOS, making a system unavailable to users).
Attackers can abuse Component Object Model (COM, a Windows system that lets programs automate each other) to weaponize Microsoft Office applications like Excel and Outlook for malicious purposes, such as creating documents, stealing data, and establishing command-and-control channels. Since COM automation uses legitimate, pre-installed applications, these attacks can be hard to detect. The article highlights that monitoring for unusual COM usage patterns is important for defensive teams to catch this type of threat.
TensorFlow versions up to 2.5.0 have a vulnerability where attackers can overwrite arbitrary files by providing a specially crafted archive when the tf.keras.utils.get_file function is used with the extract=True setting. This happens because the function doesn't properly validate file paths during extraction (a weakness called path traversal, where attackers manipulate file paths to access files outside intended directories). The vendor notes that this function was not designed to handle untrusted archives.
A researcher explored three security and privacy aspects of Apple's Airtag tracking devices: physically removing the speaker component, using browser APIs (code that web browsers provide to interact with hardware) to detect nearby Airtags without an iPhone, and investigating how data might be extracted through Airtags and Apple's Find My network. The post documents these findings as exploratory research into the Airtag ecosystem.
Security breaches happen regularly to organizations, and companies often don't discover them for days, months, or even years after they occur. The post argues that organizations should adopt red team exercises (simulated attacks by internal security experts to test defenses) to strengthen their security, since breaches cannot be completely prevented and automated malware can strike at any time.
Fix: The issue was patched in GitHub commit 9e82dce6e6bd1f36a57e08fa85af213e2b2f2622. The fix is included in TensorFlow 2.6.0 and was also backported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The fix was patched in GitHub commit 301ae88b331d37a2a16159b65b255f4f9eb39314 and will be included in TensorFlow 2.6.0. The patch was also applied to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit 5dc7f6981fdaf74c8c5be41f393df705841fb7c5. The fix will be included in TensorFlow 2.6.0, and will also be backported (applied to older versions) in TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit e86605c0a336c088b638da02135ea6f9f6753618. The fix will be included in TensorFlow 2.6.0 and will also be backported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit ac117ee8a8ea57b73d34665cdf00ef3303bc0b11. The fix will be included in TensorFlow 2.6.0, and will also be backported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit 4aacb30888638da75023e6601149415b39763d76. The fix will be included in TensorFlow 2.6.0, and will also be backported (applied to older versions) in TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit 4923de56ec94fff7770df259ab7f2288a74feb41. The fix is included in TensorFlow 2.6.0 and will also be applied to TensorFlow 2.5.1.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit d9204be9f49520cdaaeb2541d1dc5187b23f31d9. The fix is included in TensorFlow 2.6.0, and the patch was also applied to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: Update the Tutor LMS plugin to version 1.9.2 or later.
NVD/CVE Database