aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Browse All

All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.

to
Export CSV
6609 items

CVE-2022-29191: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem

mediumvulnerability
security
May 20, 2022
CVE-2022-29191

TensorFlow, an open source machine learning platform, had a vulnerability in its `tf.raw_ops.GetSessionTensor` function (a command for retrieving tensor data from a session) where it did not properly validate input arguments, allowing attackers to crash the system through a denial of service attack (making software unavailable by overwhelming or breaking it). The vulnerability was fixed in TensorFlow versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4.

Fix: Update TensorFlow to one of the patched versions: 2.9.0, 2.8.1, 2.7.2, or 2.6.4.

NVD/CVE Database

CVE-2022-29539: resi-calltrace in RESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sen

criticalvulnerability
security
May 12, 2022
CVE-2022-29539

CVE-2022-29539 is a vulnerability in RESI Gemini-Net 4.2 where the resi-calltrace component fails to validate user input before processing it on the server, allowing attackers to perform OS command injection (injecting arbitrary system commands by exploiting improper input checking). An unauthenticated attacker can bypass the intended syntax rules and execute commands with the same privileges as the application.

CVE-2022-29538: RESI Gemini-Net Web 4.2 is affected by Improper Access Control in authorization logic. An unauthenticated user is able t

mediumvulnerability
security
May 12, 2022
CVE-2022-29538

CVE-2022-29538 is a vulnerability in RESI Gemini-Net Web 4.2 where improper access control in the authorization logic (the system that checks who is allowed to do what) allows unauthenticated users (people without valid login credentials) to access critical resources they shouldn't be able to reach. The vulnerability's severity rating has not yet been officially assessed.

CVE-2022-21426: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supp

mediumvulnerability
security
Apr 19, 2022
CVE-2022-21426

A vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition (a high-performance Java runtime) in the JAXP component (Java API for XML Processing, which handles XML data) allows an unauthenticated attacker to partially disable these systems over a network. The vulnerability affects specific versions of Java and can be exploited through untrusted code in web applications or through web services that supply data to the vulnerable APIs, with a severity rating of 5.3 out of 10.

CVE-2022-21420: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are

criticalvulnerability
security
Apr 19, 2022
CVE-2022-21420

Oracle Coherence (a data management tool in Oracle Fusion Middleware) has a critical vulnerability (CVE-2022-21420) that allows attackers without authentication to take over the system by exploiting the T3 protocol (a communication method used by Oracle products), affecting versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. The vulnerability has a CVSS score (a 0-10 severity rating) of 9.8, meaning it is extremely serious and impacts confidentiality, integrity, and availability of the system.

GPT-3 and Phishing Attacks

infonews
securitysafety

Grabbing and cracking macOS hashes

infonews
security
Apr 3, 2022

On macOS, attackers can extract password hashes from the local directory service (the system that stores account information) using the dscl command tool, even when System Integrity Protection is enabled, then convert these hashes to a format that hashcat (a password-cracking tool) can process to crack the passwords. This technique is particularly dangerous when organizations reuse the same admin password across multiple Mac computers, making lateral movement (spreading access across a network) easier for attackers.

CVE-2021-27456: Philips Gemini PET/CT family software stores sensitive information in a removable media device that does not have built-

lowvulnerability
security
Mar 23, 2022
CVE-2021-27456

Philips Gemini PET/CT family software has a vulnerability where it stores sensitive information on removable media (like USB drives) without access control (security restrictions that limit who can read or modify files). This means anyone with physical access to the removable media device could potentially read the sensitive data.

CVE-2021-45117: The OPC autogenerated ANSI C stack stubs (in the NodeSets) do not handle all error cases. This can lead to a NULL pointe

mediumvulnerability
security
Mar 21, 2022
CVE-2021-45117

CVE-2021-45117 is a vulnerability in OPC (OLE for Process Control, a standard for industrial automation communication) autogenerated ANSI C code where error handling is incomplete, allowing a NULL pointer dereference (an error where code tries to access memory that doesn't exist). This bug affects software that uses OPC NodeSets (configuration files that define data structures).

Flipper Zero - Initial Thoughts

infonews
security
Mar 19, 2022

The Flipper Zero is a handheld device that can read and emulate NFC (near-field communication, the wireless tech in credit cards and phones), RFID (radio-frequency identification used in key fobs), infrared signals, and radio frequencies, along with a Bad-USB feature that lets it act as a keyboard to send preprogrammed commands. The author demonstrates that it can easily read credit card numbers from physical cards and Apple Watches, though they note the device is educational and users should understand the risks and legal implications of its capabilities.

CVE-2022-24770: `gradio` is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11

highvulnerability
security
Mar 17, 2022
CVE-2022-24770

Gradio, a framework for building interactive machine learning demos, has a vulnerability in versions before 2.8.11 where its flagging feature (which saves data to CSV files) can be tricked into storing harmful commands in the file. If someone opens this CSV file in Excel or similar programs, those commands run automatically on their computer.

AWS Scaled Command Bash Script - Run AWS commands for many profiles

infonews
security
Mar 12, 2022

This article describes a bash script tool that runs AWS commands across multiple AWS profiles (sets of credentials configured locally) to help security researchers test discovered AWS access keys during penetration testing or bug bounties. The script checks whether each key is valid, identifies what resources it can access, and logs metadata like timestamps and the source IP address for reporting purposes.

CVE-2022-0845: Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.

criticalvulnerability
security
Mar 5, 2022
CVE-2022-0845

CVE-2022-0845 is a code injection vulnerability (a flaw where an attacker can insert and execute malicious code) in PyTorch Lightning, a machine learning framework, affecting versions before 1.6.0. The vulnerability stems from improper control over code generation, allowing attackers to run arbitrary code through the affected software.

Gitlab Reconnaissance Introduction

infonews
security
Feb 28, 2022

This post documents reconnaissance techniques for GitLab (a code hosting platform similar to GitHub) after obtaining a GitLab Token (a credential that grants API access). An attacker with a valid token can enumerate projects, clone source code repositories to search for secrets, extract CI/CD variables (configuration values that often contain passwords or access keys), and discover runner tokens (registration credentials for build automation systems).

CVE-2022-0736: Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1.

highvulnerability
security
Feb 23, 2022
CVE-2022-0736

MLflow, a machine learning platform, had an insecure temporary file vulnerability (CWE-377, a weakness where temporary files are created without proper security protections) in versions before 1.23.1. This vulnerability could potentially allow attackers to access or modify sensitive data stored in temporary files.

CVE-2022-23595: Tensorflow is an Open Source Machine Learning Framework. When building an XLA compilation cache, if default settings are

mediumvulnerability
security
Feb 4, 2022
CVE-2022-23595

TensorFlow (an open source machine learning framework) has a vulnerability where building an XLA compilation cache (a storage system that speeds up machine learning model compilation) with default settings causes a null pointer dereference (a crash that happens when code tries to use a memory location that doesn't exist). This occurs because the default configuration allows all devices, leaving a critical variable empty.

CVE-2022-23594: Tensorflow is an Open Source Machine Learning Framework. The TFG dialect of TensorFlow (MLIR) makes several assumptions

highvulnerability
security
Feb 4, 2022
CVE-2022-23594

TensorFlow (an open-source machine learning framework) has a vulnerability in its TFG dialect, which is part of MLIR (a compiler framework for optimizing code). An attacker can modify the SavedModel format (the way trained models are saved to disk) to break assumptions the system makes, which can crash the Python interpreter or cause heap OOB (out-of-bounds memory access, where code reads or writes memory it shouldn't).

CVE-2022-23593: Tensorflow is an Open Source Machine Learning Framework. The `simplifyBroadcast` function in the MLIR-TFRT infrastructur

mediumvulnerability
security
Feb 4, 2022
CVE-2022-23593

TensorFlow, an open-source machine learning framework, has a vulnerability in its `simplifyBroadcast` function (a part of the MLIR-TFRT infrastructure, which is the compiler and runtime system) that causes a segfault (a crash from accessing invalid memory) when given scalar shapes (data without dimensions), resulting in a denial of service (making the system unavailable). This affects only TensorFlow version 2.7.0.

CVE-2022-23592: Tensorflow is an Open Source Machine Learning Framework. TensorFlow's type inference can cause a heap out of bounds read

highvulnerability
security
Feb 4, 2022
CVE-2022-23592

TensorFlow (an open-source machine learning framework) has a vulnerability where type inference can read data outside the bounds of allocated memory (a heap out of bounds read). The bounds checking uses a DCHECK, which is disabled in production code, allowing an attacker to manipulate a variable so it accesses memory beyond what is available.

CVE-2022-23591: Tensorflow is an Open Source Machine Learning Framework. The `GraphDef` format in TensorFlow does not allow self recursi

highvulnerability
security
Feb 4, 2022
CVE-2022-23591

TensorFlow (an open-source machine learning framework) has a vulnerability where the GraphDef format (TensorFlow's way of representing computation graphs) can accept self-recursive functions even though it shouldn't, causing a stack overflow (a crash from too much memory use) when the model runs because the system gets stuck trying to resolve the same function repeatedly.

Previous300 / 331Next
NVD/CVE Database
NVD/CVE Database
NVD/CVE Database
NVD/CVE Database
Apr 11, 2022

GPT-3 (a large language model that generates realistic human-like text) could be misused by attackers to create convincing phishing attacks (fraudulent messages designed to trick people into revealing sensitive information). The post discusses this threat and mentions that organizations can take countermeasures to protect themselves, though specific details are not provided in the excerpt.

Embrace The Red
Embrace The Red
NVD/CVE Database
NVD/CVE Database
Embrace The Red

Fix: Update gradio to version 2.8.11 or later, which escapes saved CSV data with single quotes to prevent command execution. As a workaround, avoid opening CSV files generated by gradio with Excel or similar spreadsheet programs.

NVD/CVE Database
Embrace The Red

Fix: Update PyTorch Lightning to version 1.6.0 or later. A patch is available at https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae

NVD/CVE Database
Embrace The Red

Fix: Update MLflow to version 1.23.1 or later. A patch is available at https://github.com/mlflow/mlflow/commit/61984e6843d2e59235d82a580c529920cd8f3711.

NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.8.0. Patches will also be released in TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3.

NVD/CVE Database
NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.8.0.

NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.8.0.

NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.8.0. The fix will also be backported to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3.

NVD/CVE Database