All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
TensorFlow, an open source platform for machine learning, has a bug in the `tf.raw_ops.LookupTableImportV2` function where it cannot properly handle scalar values (single values, not arrays) in the `values` parameter, causing an NPE (null pointer exception, when the program tries to use a value that doesn't exist). This is a type of vulnerability called NULL Pointer Dereference (CWE-476).
Fix: A fix is included in TensorFlow version 2.12.0 and version 2.11.1. Users can also reference the patch at https://github.com/tensorflow/tensorflow/commit/980b22536abcbbe1b4a5642fc940af33d8c19b69.
NVD/CVE DatabaseTensorFlow (an open source platform for machine learning) has a vulnerability called out-of-bounds access (a bug where code tries to read or write data outside the memory area it should access), caused by mismatched integer type sizes (using different number formats where the same one was expected). The issue can be fixed by updating to TensorFlow version 2.12.0 or 2.11.1.
TensorFlow (an open source machine learning platform) versions before 2.12.0 and 2.11.1 have a null pointer dereference (a crash caused by trying to access memory that doesn't exist) in a specific feature called QuantizedMatMulWithBiasAndDequantize when MKL (a math optimization library) is enabled. This bug can cause the software to crash or behave unexpectedly.
TensorFlow (an open source platform for machine learning) has a bug in the `tf.raw_ops.AvgPoolGrad` function where invalid input values can cause a floating point exception (a crash due to an illegal math operation). This affects TensorFlow versions before 2.12.0 and 2.11.1.
TensorFlow (an open-source machine learning platform) versions before 2.12.0 and 2.11.1 have a vulnerability that allows attackers to access heap memory (the part of a computer's memory used for dynamic storage) that shouldn't be accessible, potentially causing the program to crash or allowing remote code execution (running commands on a system remotely without authorization). This is caused by heap-based buffer overflow and out-of-bounds read errors (reading data from memory locations outside the intended boundaries).
TensorFlow, an open source machine learning platform, had an integer overflow vulnerability (a bug where calculations exceed the maximum number a computer can store) in versions before 2.12.0 and 2.11.1. The bug occurred when processing video frames with certain dimensions, potentially affecting full HD screencasts with at least 346 frames.
TensorFlow, an open source machine learning platform, had a floating point exception (a math error that crashes a program) in its AudioSpectrogram component before versions 2.12.0 and 2.11.1. This bug could cause the software to crash when processing certain audio data.
TensorFlow (an open source platform for machine learning) versions before 2.12.0 and 2.11.1 have a bug where the SparseSparseMaximum function crashes with a null pointer error (when the program tries to access memory that doesn't exist) if given invalid sparse tensors (multi-dimensional arrays with mostly empty values) as inputs. This is a stability issue that can cause the program to fail.
TensorFlow, an open source machine learning platform, had a heap buffer overflow vulnerability (a memory safety bug where data is written beyond allocated space) in a function called TAvgPoolGrad before versions 2.12.0 and 2.11.1. This vulnerability could potentially allow attackers to crash the software or execute code.
TensorFlow, an open source machine learning platform, had a vulnerability in versions before 2.12.0 and 2.11.1 where a null pointer dereference (a crash caused by trying to use a memory location that doesn't exist) could occur in the Lookup function when a certain pointer was null. This weakness is classified as CWE-476 (NULL Pointer Dereference).
TensorFlow, an open source machine learning platform, has a vulnerability in versions before 2.12.0 and 2.11.1 involving integer overflow (a math error where a number gets too large and wraps around) in the EditDistance function. This bug could potentially cause unexpected behavior or crashes in machine learning programs using affected versions.
TensorFlow, an open source platform for machine learning, has a bug in its `tf.raw_ops.Print` function that causes a seg fault (a crash where the program tries to access memory it shouldn't) when the `summarize` parameter is set to zero. The bug happens because the code tries to use a nullptr (a reference to nothing instead of valid data).
TensorFlow, an open source machine learning platform, had a vulnerability where mismatched parameters in the `DynamicStitch` function could cause a stack OOB read (out-of-bounds read, where a program accesses memory it shouldn't). This flaw affected versions before 2.12.0 and 2.11.1.
TensorFlow, an open source platform for machine learning, had an out of bounds read vulnerability (a bug where code tries to access memory it shouldn't) in a component called GRUBlockCellGrad before versions 2.12.0 and 2.11.1. This vulnerability could potentially allow attackers to read sensitive data or crash the system.
CVE-2023-1177 is a path traversal vulnerability (a flaw where an attacker can access files outside the intended directory by using special characters like '..') in MLflow versions before 2.2.1. This weakness allows attackers to potentially read or access files they shouldn't be able to reach on the system.
CVE-2023-1176 is an absolute path traversal vulnerability (a bug where an attacker can access files anywhere on a system by using file paths that start from the root directory) found in MLflow, an open-source platform for managing machine learning experiments, affecting versions before 2.2.2. The vulnerability was discovered and reported through the huntr.dev bug bounty program.
Streamlit, software that converts data scripts into web applications, had a cross-site scripting vulnerability (XSS, where an attacker injects malicious code that runs in a user's browser) in versions 0.63.0 through 0.80.0. An attacker could craft a malicious URL containing JavaScript code, trick a user into clicking it, and the Streamlit server would execute that code in the victim's browser.
The Replyable WordPress plugin before version 2.2.10 has a security flaw where it doesn't check the class names that users submit when creating objects in a specific action, and it also lacks CSRF protection (cross-site request forgery, where an attacker tricks a user into performing actions without their knowledge). This allows authenticated users, even those with basic subscriber permissions, to perform object injection attacks (exploiting how the plugin creates objects to run unintended code).
Yolo is a tool that uses ChatGPT API (OpenAI's language model accessed through code) to translate natural language questions into shell commands (the text-based interface for controlling a computer) that can be executed automatically. The tool helps users who forget command syntax by converting plain English requests into proper bash, zsh, or PowerShell commands, with a safety feature that shows the command before running it unless the user enables automatic execution.
LiteDB, a lightweight database library for .NET, has a vulnerability in versions before 5.0.13 where it can deserialize (convert data from a format like JSON back into usable objects) untrusted data. If an attacker sends specially crafted JSON to an application using LiteDB, the library may load unsafe objects by using a special `_type` field that tells it what class to create, potentially allowing malicious code execution.
Fix: A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
NVD/CVE DatabaseFix: Update to TensorFlow version 2.12.0 or version 2.11.1, which include fixes for this vulnerability.
NVD/CVE DatabaseFix: Update to TensorFlow version 2.12.0 or version 2.11.1, which include a fix for this issue.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow version 2.12.0 and will also be cherry-picked (selectively applied) to TensorFlow version 2.11.1.
NVD/CVE DatabaseFix: Update to TensorFlow version 2.12.0 or version 2.11.1, which include the fix for this vulnerability.
NVD/CVE DatabaseFix: Update TensorFlow to version 2.12.0 or version 2.11.1, which include the fix for this vulnerability.
NVD/CVE DatabaseFix: Update to TensorFlow version 2.12.0 or version 2.11.1, which include a fix for this vulnerability.
NVD/CVE DatabaseFix: Update TensorFlow to version 2.12.0 or 2.11.1, which include the fix for this vulnerability.
NVD/CVE DatabaseFix: Update to TensorFlow version 2.12.0 or 2.11.1, which include the fix for this vulnerability. The patch is available at https://github.com/tensorflow/tensorflow/commit/239139d2ae6a81ae9ba499ad78b56d9b2931538a.
NVD/CVE DatabaseFix: Update TensorFlow to version 2.12.0 or version 2.11.1, both of which include a fix for this vulnerability.
NVD/CVE DatabaseFix: A fix is included in TensorFlow version 2.12.0 and version 2.11.1. Users should update to one of these versions or later.
NVD/CVE DatabaseFix: Update TensorFlow to version 2.12.0 or version 2.11.1, which include the fix for this vulnerability.
NVD/CVE DatabaseFix: Update TensorFlow to version 2.12.0 or version 2.11.1, which include the fix for this vulnerability.
NVD/CVE DatabaseFix: Update MLflow to version 2.2.1 or later. A patch is available at https://github.com/mlflow/mlflow/pull/7891/commits/7162a50c654792c21f3e4a160eb1a0e6a34f6e6e
NVD/CVE DatabaseFix: Fixed in version 2.2.2. A patch is available at https://github.com/mlflow/mlflow/commit/63ef72aa4334a6473ce7f889573c92fcae0b3c0d.
NVD/CVE DatabaseFix: Update to version 0.81.0, which contains a patch for this vulnerability.
NVD/CVE DatabaseFix: Update the Replyable WordPress plugin to version 2.2.10 or later.
NVD/CVE DatabaseFix: Update LiteDB to version 5.0.13 or later. The source notes this version includes basic fixes to prevent the issue, though it is not completely guaranteed when using `Object` type. A future major version will add an allow-list to control which assemblies (code libraries) can be loaded. For immediate protection, consult the vendor advisory for additional workarounds.
NVD/CVE Database