All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
TensorFlow, an open source machine learning platform, has a vulnerability in the `tf.raw_ops.ResourceScatterDiv` function that causes a division by 0 error (attempting to divide by zero, which crashes programs). The problem exists because the code treats all division operations the same way without special handling for the case when the divisor is zero.
Fix: The issue was patched in GitHub commit 4aacb30888638da75023e6601149415b39763d76. The fix will be included in TensorFlow 2.6.0, and will also be backported (applied to older versions) in TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseTensorFlow, an open-source machine learning platform, has a bug in the `tf.raw_ops.SparseReshape` function where it can crash with a division by zero error (dividing a number by zero). This happens because the code doesn't check if the target shape has any elements before dividing by it, allowing attackers to trigger this crash by providing specially crafted input.
TensorFlow, an open source platform for machine learning, has a vulnerability in its `tf.raw_ops.SparseDenseCwiseDiv` function where division by zero is not properly handled, causing the program to crash or behave unexpectedly. The vulnerability affects multiple older versions of TensorFlow that are still being supported.
Procdump is a tool that creates core dumps (snapshots of a program's memory) and can be installed on Linux systems, though it receives less attention from security professionals there than on Windows. An attacker with access to a Linux system can use procdump to dump the memory of running processes and search through them for sensitive information like passwords and credentials, as demonstrated in a scenario where an attacker extracts a password from a user's text editor process.
The Tutor LMS WordPress plugin before version 1.9.2 had a security flaw where the Summary field of Announcements was not properly escaped (cleaned of potentially harmful code before display). This allowed users with Tutor Instructor privileges to inject malicious scripts that would execute when other users viewed the Announcements list. If an admin viewed the list, the attacker could potentially gain admin-level access through a stored cross-site scripting attack (XSS, where harmful code is permanently saved and runs when the page loads).
CVE-2020-11511 is a privilege escalation vulnerability (where an attacker can gain higher access levels than they should have) in the LearnPress plugin for WordPress before version 3.2.6.9. Attackers can exploit the 'accept-to-be-teacher' action parameter to upgrade any user's account to LP Instructor status without proper authorization.
The Silver Searcher is a fast search tool designed for finding code and files quickly, with a focus on searching through source code. It offers built-in features that make it faster and more convenient than traditional tools like grep (a command-line search utility) and findstr.
Oracle Coherence (a data management tool in Oracle Fusion Middleware) has a serious vulnerability that allows an attacker on the network to take over the system without needing to log in, if they exploit it through T3 or IIOP (communication protocols). The vulnerability affects versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, and has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 8.1, indicating it is a high-severity risk.
Oracle Coherence, a data management product in Oracle Fusion Middleware, has a vulnerability that allows attackers without authentication to crash the system through network protocols called T3 and IIOP (inter-process communication protocols). This vulnerability affects multiple versions of the product and has a severity rating of 7.5 out of 10, meaning it could cause significant service disruptions.
Oracle Coherence, a data management product in Oracle Fusion Middleware, has a vulnerability (CVE-2021-2344) that allows attackers on a network to crash or hang the system without needing to log in, affecting versions 3.7.1.0 through 14.1.1.0.0. The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 7.5, meaning it is moderately serious. Attackers can exploit this through T3 and IIOP (network communication protocols) connections to cause a denial of service (DOS, making a system unavailable to users).
Attackers can abuse Component Object Model (COM, a Windows system that lets programs automate each other) to weaponize Microsoft Office applications like Excel and Outlook for malicious purposes, such as creating documents, stealing data, and establishing command-and-control channels. Since COM automation uses legitimate, pre-installed applications, these attacks can be hard to detect. The article highlights that monitoring for unusual COM usage patterns is important for defensive teams to catch this type of threat.
TensorFlow versions up to 2.5.0 have a vulnerability where attackers can overwrite arbitrary files by providing a specially crafted archive when the tf.keras.utils.get_file function is used with the extract=True setting. This happens because the function doesn't properly validate file paths during extraction (a weakness called path traversal, where attackers manipulate file paths to access files outside intended directories). The vendor notes that this function was not designed to handle untrusted archives.
A researcher explored three security and privacy aspects of Apple's Airtag tracking devices: physically removing the speaker component, using browser APIs (code that web browsers provide to interact with hardware) to detect nearby Airtags without an iPhone, and investigating how data might be extracted through Airtags and Apple's Find My network. The post documents these findings as exploratory research into the Airtag ecosystem.
Security breaches happen regularly to organizations, and companies often don't discover them for days, months, or even years after they occur. The post argues that organizations should adopt red team exercises (simulated attacks by internal security experts to test defenses) to strengthen their security, since breaches cannot be completely prevented and automated malware can strike at any time.
TensorFlow (an open-source platform for machine learning) has a bug where passing invalid arguments to a specific function called `tf.raw_ops.SparseCountSparseOutput` causes a segfault (a crash where the program tries to access memory it shouldn't). This happens because the function doesn't properly handle exceptional conditions (unexpected or invalid inputs).
TensorFlow (an open source machine learning platform) crashes when you pass a complex argument to the `tf.transpose` function while also using the `conjugate=True` argument. This happens because the software doesn't properly handle this unusual combination of inputs.
TensorFlow is a machine learning platform that had a vulnerability where an attacker could crash the system by sending invalid arguments to the `tf.strings.substr` function, which performs string operations. This vulnerability was caused by improper error handling (not properly catching and managing exceptional conditions that shouldn't happen).
TensorFlow, a machine learning platform, has a vulnerability where TrySimplify (a code optimization component) can crash by dereferencing a null pointer (trying to access memory that doesn't exist) when optimizing nodes with no inputs. This undefined behavior can cause the program to fail unexpectedly.
A vulnerability in TensorFlow (an open source machine learning platform) allows attackers to cause a stack overflow (a crash caused by a program using too much memory on the call stack) by sending specially crafted input to the `ParseAttrValue` function through recursion (when a function calls itself repeatedly).
A bug in TensorFlow's `tf.io.decode_raw` function causes incorrect results and crashes when using certain combinations of parameters. The problem stems from incorrect pointer arithmetic (moving through memory incorrectly), which causes the function to skip parts of input data and write outside the allocated memory bounds (OOB write, where data is written to memory locations it shouldn't access), potentially leading to crashes or more serious attacks.
Fix: The issue was patched in GitHub commit 4923de56ec94fff7770df259ab7f2288a74feb41. The fix is included in TensorFlow 2.6.0 and will also be applied to TensorFlow 2.5.1.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit d9204be9f49520cdaaeb2541d1dc5187b23f31d9. The fix is included in TensorFlow 2.6.0, and the patch was also applied to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: Update the Tutor LMS plugin to version 1.9.2 or later.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. Patches will also be applied to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4, as these versions are also affected and still supported.
NVD/CVE DatabaseFix: Update to TensorFlow 2.5.0 or later. If you're using an older supported version, updates are also available for TensorFlow 2.4.2, 2.3.3, 2.2.3, and 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. The vulnerability will also be patched in earlier versions: TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. It will also be backported (applied to older versions) to TensorFlow 2.4.2, 2.3.3, 2.2.3, and 2.1.4, which are still supported.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. It will also be applied to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0 and will be backported (adapted for older versions) to TensorFlow 2.4.2, 2.3.3, 2.2.3, and 2.1.4.
NVD/CVE Database