GithubHelp home page GithubHelp logo

classicvalues / morpheus Goto Github PK

View Code? Open in Web Editor NEW

This project forked from nv-morpheus/morpheus

1.0 1.0 0.0 12.96 MB

Morpheus SDK

License: Apache License 2.0

Shell 3.59% JavaScript 0.01% C++ 21.45% Python 48.99% Cuda 0.73% PureBasic 1.11% CMake 1.04% Jupyter Notebook 22.40% Cython 0.16% Dockerfile 0.53% GDB 0.01%

morpheus's Introduction

NVIDIA Morpheus

NVIDIA Morpheus

NVIDIA Morpheus is an open AI application framework that provides cybersecurity developers with a highly optimized AI framework and pre-trained AI capabilities that allow them to instantaneously inspect all IP traffic across their data center fabric. The Morpheus developer framework allows teams to build their own optimized pipelines that address cybersecurity and information security use cases. Bringing a new level of security to data centers, Morpheus provides development capabilities around dynamic protection, real-time telemetry, adaptive policies, and cyber defenses for detecting and remediating cybersecurity threats.

Documentation

Using Morpheus

Modifying Morpheus

Deploying Morpheus

Full documentation for the latest official release is available at https://docs.nvidia.com/morpheus/.

morpheus's People

Contributors

ajschmidt8 avatar bartleyr avatar bsuryadevara avatar classicvalues avatar cwharris avatar dagardner-nv avatar dependabot[bot] avatar drobison00 avatar efajardo-nv avatar gbatmaz avatar gputester avatar hsin-c avatar imgbotapp avatar jarmak-nv avatar jjacobelli avatar lobotmcj avatar mdemoret-nv avatar mend-bolt-for-github[bot] avatar pdmack avatar raykallen avatar shawn-davis avatar tanmoyio avatar tzemicheal avatar

Stargazers

avatar

Watchers

avatar

morpheus's Issues

transformers-4.24.0-py3-none-any.whl: 4 vulnerabilities (highest severity is: 8.8)

Vulnerable Library - transformers-4.24.0-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a4/df/3248eac2923ceffdf55686ff318e002b558e7c51f6a909dd870cf3185949/transformers-4.24.0-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/sid-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/training-tuning-scripts/root-cause-models/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (transformers version) Remediation Possible**
CVE-2023-6730 High 8.8 transformers-4.24.0-py3-none-any.whl Direct 4.36.0
CVE-2023-7018 High 7.8 transformers-4.24.0-py3-none-any.whl Direct 4.36.0
CVE-2023-2800 Medium 4.7 transformers-4.24.0-py3-none-any.whl Direct 4.30.1
CVE-2024-3568 Low 3.4 transformers-4.24.0-py3-none-any.whl Direct 4.38.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-6730

Vulnerable Library - transformers-4.24.0-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a4/df/3248eac2923ceffdf55686ff318e002b558e7c51f6a909dd870cf3185949/transformers-4.24.0-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/sid-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/training-tuning-scripts/root-cause-models/requirements.txt

Dependency Hierarchy:

  • transformers-4.24.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Publish Date: 2023-12-19

URL: CVE-2023-6730

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16/

Release Date: 2023-12-19

Fix Resolution: 4.36.0

Step up your Open Source Security Game with Mend here

CVE-2023-7018

Vulnerable Library - transformers-4.24.0-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a4/df/3248eac2923ceffdf55686ff318e002b558e7c51f6a909dd870cf3185949/transformers-4.24.0-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/sid-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/training-tuning-scripts/root-cause-models/requirements.txt

Dependency Hierarchy:

  • transformers-4.24.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Publish Date: 2023-12-20

URL: CVE-2023-7018

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-7018

Release Date: 2023-12-20

Fix Resolution: 4.36.0

Step up your Open Source Security Game with Mend here

CVE-2023-2800

Vulnerable Library - transformers-4.24.0-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a4/df/3248eac2923ceffdf55686ff318e002b558e7c51f6a909dd870cf3185949/transformers-4.24.0-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/sid-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/training-tuning-scripts/root-cause-models/requirements.txt

Dependency Hierarchy:

  • transformers-4.24.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.

Publish Date: 2023-05-18

URL: CVE-2023-2800

CVSS 3 Score Details (4.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a/

Release Date: 2023-05-18

Fix Resolution: 4.30.1

Step up your Open Source Security Game with Mend here

CVE-2024-3568

Vulnerable Library - transformers-4.24.0-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a4/df/3248eac2923ceffdf55686ff318e002b558e7c51f6a909dd870cf3185949/transformers-4.24.0-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/sid-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/training-tuning-scripts/root-cause-models/requirements.txt

Dependency Hierarchy:

  • transformers-4.24.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the load_repo_checkpoint() function of the TFPreTrainedModel() class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of pickle.load() on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.

Publish Date: 2024-04-10

URL: CVE-2024-3568

CVSS 3 Score Details (3.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-3568

Release Date: 2024-04-10

Fix Resolution: 4.38.0

Step up your Open Source Security Game with Mend here

tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl: 174 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl

Removed: please install "tensorflow" instead.

Library home page: https://files.pythonhosted.org/packages/3a/0b/89319be6c6a043b8b201a42666afe8e3badbdd477eba1829f59a7718bf1f/tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/fraud-detection-models/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (tensorflow_gpu version) Remediation Possible**
CVE-2023-25668 Critical 9.8 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25664 Critical 9.8 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2022-41900 Critical 9.8 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-35939 Critical 9.8 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-23587 Critical 9.8 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
WS-2022-0073 Critical 9.3 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-41910 Critical 9.1 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-41902 Critical 9.1 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-41880 Critical 9.1 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-35938 Critical 9.1 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35937 Critical 9.1 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-23574 High 8.8 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23573 High 8.8 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23566 High 8.8 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23562 High 8.8 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23561 High 8.8 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23559 High 8.8 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23558 High 8.8 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-21740 High 8.8 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-21727 High 8.8 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-21726 High 8.8 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-41894 High 8.1 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-23592 High 8.1 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-21730 High 8.1 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-21728 High 8.1 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-29216 High 7.8 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
WS-2022-0401 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.4
CVE-2023-25676 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25675 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25674 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25673 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25672 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25670 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25669 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25667 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25665 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25663 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25662 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25660 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25659 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25658 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2022-41911 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.4
CVE-2022-41909 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-41908 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1,2.11.0;tensorflow-cpu - 2.8.4,2.9.3,2.10.1,2.11.0;tensorflow-gpu - 2.8.4,2.9.3,2.10.1,2.11.0
CVE-2022-41907 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct GHSA-368v-7v32-52fx
CVE-2022-41901 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-41899 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct GHSA-27rc-728f-x5w2
CVE-2022-41898 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-41897 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct GHSA-f2w8-jw48-fr7j
CVE-2022-41896 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct GHSA-rmg2-f698-wq35
CVE-2022-41895 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-41893 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-41891 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct GHSA-66vq-54fq-6jvv
CVE-2022-41889 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-41888 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-41887 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.9.3
CVE-2022-41886 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-41885 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.4
CVE-2022-41884 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-36027 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36019 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36018 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36017 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36016 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36015 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36013 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-36012 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36011 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36005 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36004 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36003 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36002 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36001 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36000 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35999 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35998 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35997 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35996 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35995 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35994 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35993 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35992 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35991 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35989 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35988 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35987 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35986 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35985 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35984 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35983 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35982 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35981 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35979 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35974 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35973 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35972 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35971 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35970 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35969 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35968 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35967 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35966 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35965 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35963 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35960 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35959 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35952 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35941 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-35940 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35935 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35934 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-23593 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-23591 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23590 High 7.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-29208 High 7.1 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-23595 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23589 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23588 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23586 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23584 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23583 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23582 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23581 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23579 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23577 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23576 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23575 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23572 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23571 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23570 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23569 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23568 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23567 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23565 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23564 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23557 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-21741 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-21739 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-21738 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-21737 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-21736 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-21735 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-21734 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-21733 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-21732 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-21731 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-21729 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-21725 Medium 6.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23563 Medium 6.3 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
WS-2022-0137 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
WS-2022-0071 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-29213 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-29212 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29211 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29209 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-29207 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-29206 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29205 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-29204 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-29203 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-29202 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-29201 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29200 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-29199 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29198 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29197 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29196 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-29195 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-29194 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29193 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29192 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-29191 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.2
CVE-2022-23594 Medium 5.5 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1
CVE-2022-23578 Medium 4.3 tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.7.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (1 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2023-25668

Vulnerable Library - tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl

Removed: please install "tensorflow" instead.

Library home page: https://files.pythonhosted.org/packages/3a/0b/89319be6c6a043b8b201a42666afe8e3badbdd477eba1829f59a7718bf1f/tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • tensorflow_gpu-2.7.0-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

TensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25668

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gw97-ff7c-9v96

Release Date: 2023-03-25

Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0

Step up your Open Source Security Game with Mend here

Werkzeug-2.2.2-py3-none-any.whl: 2 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - Werkzeug-2.2.2-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Werkzeug version) Remediation Available
CVE-2023-25577 High 7.5 Werkzeug-2.2.2-py3-none-any.whl Direct Werkzeug - 2.2.3
CVE-2023-23934 Low 3.5 Werkzeug-2.2.2-py3-none-any.whl Direct Werkzeug - 2.2.3

Details

CVE-2023-25577

Vulnerable Library - Werkzeug-2.2.2-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • Werkzeug-2.2.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.

Publish Date: 2023-02-14

URL: CVE-2023-25577

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-25577

Release Date: 2023-02-14

Fix Resolution: Werkzeug - 2.2.3

Step up your Open Source Security Game with Mend here

CVE-2023-23934

Vulnerable Library - Werkzeug-2.2.2-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • Werkzeug-2.2.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie =__Host-test=bad as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.

Publish Date: 2023-02-14

URL: CVE-2023-23934

CVSS 3 Score Details (3.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Adjacent
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934

Release Date: 2023-02-14

Fix Resolution: Werkzeug - 2.2.3

Step up your Open Source Security Game with Mend here

Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl: 2 vulnerabilities (highest severity is: 8.1)

Vulnerable Library - Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/2c/a2/2d565cb1d754384a88998b9c86daf803a3a7908577875231eb99b8c7973d/Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/dfp-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/dfp-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/dfp-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/ransomware-models/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Pillow version) Remediation Possible**
CVE-2023-50447 High 8.1 Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl Direct pillow - 10.2.0
CVE-2023-44271 High 7.5 Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl Direct Pillow - 10.0.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-50447

Vulnerable Library - Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/2c/a2/2d565cb1d754384a88998b9c86daf803a3a7908577875231eb99b8c7973d/Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/dfp-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/dfp-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/dfp-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/ransomware-models/requirements.txt

Dependency Hierarchy:

  • Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).

Publish Date: 2024-01-19

URL: CVE-2023-50447

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2024/01/20/1

Release Date: 2024-01-19

Fix Resolution: pillow - 10.2.0

Step up your Open Source Security Game with Mend here

CVE-2023-44271

Vulnerable Library - Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/2c/a2/2d565cb1d754384a88998b9c86daf803a3a7908577875231eb99b8c7973d/Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/dfp-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/dfp-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/dfp-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/ransomware-models/requirements.txt

Dependency Hierarchy:

  • Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.

Publish Date: 2023-11-03

URL: CVE-2023-44271

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-03

Fix Resolution: Pillow - 10.0.0

Step up your Open Source Security Game with Mend here

tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl: 124 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/31/66/d9cd0b850397dbd33f070cc371a183b4903120b1c103419e9bf20568456e/tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (tensorflow version) Remediation Possible**
CVE-2023-25668 Critical 9.8 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.11.1
CVE-2023-25664 Critical 9.8 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.11.1
CVE-2022-41900 Critical 9.8 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-35939 Critical 9.8 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-41910 Critical 9.1 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-41902 Critical 9.1 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-41880 Critical 9.1 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-35938 Critical 9.1 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35937 Critical 9.1 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-41894 High 8.1 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-29216 High 7.8 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
WS-2022-0401 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.4
CVE-2023-25676 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25675 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25674 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25673 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25672 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25671 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.11.1
CVE-2023-25670 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25669 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25667 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25665 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.11.1
CVE-2023-25663 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25662 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25660 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25659 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25658 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2022-41911 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.4
CVE-2022-41909 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-41908 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1,2.11.0;tensorflow-cpu - 2.8.4,2.9.3,2.10.1,2.11.0;tensorflow-gpu - 2.8.4,2.9.3,2.10.1,2.11.0
CVE-2022-41907 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct GHSA-368v-7v32-52fx
CVE-2022-41901 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-41899 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct GHSA-27rc-728f-x5w2
CVE-2022-41898 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-41897 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct GHSA-f2w8-jw48-fr7j
CVE-2022-41896 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct GHSA-rmg2-f698-wq35
CVE-2022-41895 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-41893 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-41891 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct GHSA-66vq-54fq-6jvv
CVE-2022-41889 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-41888 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-41887 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.9.3
CVE-2022-41886 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-41885 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-41884 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-36027 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36026 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36019 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36018 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36017 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36016 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36015 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36014 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-36013 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-36012 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36011 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36005 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36004 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36003 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36002 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36001 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36000 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35999 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35998 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35997 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35996 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35995 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35994 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35993 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35992 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35991 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35989 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35988 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35987 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35986 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35985 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35984 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35983 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35982 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35981 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35979 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35974 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35973 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35972 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35971 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35970 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35969 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35968 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35967 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35966 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35965 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35963 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35960 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35959 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35952 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35941 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-35940 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35935 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35934 High 7.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-29208 High 7.1 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2023-25661 Medium 6.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.11.1
WS-2022-0137 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-29213 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-29212 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29211 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29210 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-29209 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-29207 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-29206 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29205 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-29204 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-29203 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-29202 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-29201 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29200 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-29199 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29198 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29197 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29196 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-29195 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-29194 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29193 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct tensorflow - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-cpu - 2.6.4,2.7.2,2.8.1,2.9.0;tensorflow-gpu - 2.6.4,2.7.2,2.8.1,2.9.0
CVE-2022-29192 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1
CVE-2022-29191 Medium 5.5 tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl Direct 2.8.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (6 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2023-25668

Vulnerable Library - tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/31/66/d9cd0b850397dbd33f070cc371a183b4903120b1c103419e9bf20568456e/tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

TensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25668

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gw97-ff7c-9v96

Release Date: 2023-03-25

Fix Resolution: 2.11.1

Step up your Open Source Security Game with Mend here

CVE-2023-25664

Vulnerable Library - tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/31/66/d9cd0b850397dbd33f070cc371a183b4903120b1c103419e9bf20568456e/tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a heap buffer overflow in TAvgPoolGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25664

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6hg6-5c2q-7rcr

Release Date: 2023-03-25

Fix Resolution: 2.11.1

Step up your Open Source Security Game with Mend here

CVE-2022-41900

Vulnerable Library - tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/31/66/d9cd0b850397dbd33f070cc371a183b4903120b1c103419e9bf20568456e/tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow 2.10.1.

Publish Date: 2022-11-18

URL: CVE-2022-41900

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvwp-h6jv-7472

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1

Step up your Open Source Security Game with Mend here

CVE-2022-35939

Vulnerable Library - tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/31/66/d9cd0b850397dbd33f070cc371a183b4903120b1c103419e9bf20568456e/tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

TensorFlow is an open source platform for machine learning. The ScatterNd function takes an input argument that determines the indices of of the output tensor. An input index greater than the output tensor or less than zero will either write content at the wrong index or trigger a crash. We have patched the issue in GitHub commit b4d4b4cb019bd7240a52daa4ba61e3cc814f0384. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Publish Date: 2022-09-16

URL: CVE-2022-35939

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-ffjm-4qwc-7cmf

Release Date: 2022-09-16

Fix Resolution: tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0

Step up your Open Source Security Game with Mend here

CVE-2022-41910

Vulnerable Library - tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/31/66/d9cd0b850397dbd33f070cc371a183b4903120b1c103419e9bf20568456e/tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

TensorFlow is an open source platform for machine learning. The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. We have patched the issue in GitHub commit a65411a1d69edfb16b25907ffb8f73556ce36bb7. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.8.4, 2.9.3, and 2.10.1.

Publish Date: 2022-12-06

URL: CVE-2022-41910

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-frqp-wp83-qggv

Release Date: 2022-09-30

Fix Resolution: tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1

Step up your Open Source Security Game with Mend here

CVE-2022-41902

Vulnerable Library - tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/31/66/d9cd0b850397dbd33f070cc371a183b4903120b1c103419e9bf20568456e/tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • tensorflow-2.8.0-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

TensorFlow is an open source platform for machine learning. The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. We have patched the issue in GitHub commit a65411a1d69edfb16b25907ffb8f73556ce36bb7. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.8.4, 2.9.3, and 2.10.1.

Publish Date: 2022-12-06

URL: CVE-2022-41902

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cg88-rpvp-cjv5

Release Date: 2022-09-30

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

ipywidgets-8.0.6-py3-none-any.whl: 2 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - ipywidgets-8.0.6-py3-none-any.whl

Path to dependency file: /docker/conda/environments/requirements.txt

Path to vulnerable library: /docker/conda/environments/requirements.txt,/docs/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (ipywidgets version) Remediation Possible**
CVE-2023-28370 Medium 6.1 tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl Transitive 8.0.7
WS-2023-0296 Medium 5.6 tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl Transitive 8.0.7

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-28370

Vulnerable Library - tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Library home page: https://files.pythonhosted.org/packages/19/bb/b6c3d1668d2b10ad38a584f3a1ec9737984e274f8b708e09fcbb96427f5c/tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /docker/conda/environments/requirements.txt

Path to vulnerable library: /docker/conda/environments/requirements.txt,/docs/requirements.txt

Dependency Hierarchy:

  • ipywidgets-8.0.6-py3-none-any.whl (Root Library)
    • ipykernel-6.16.2-py3-none-any.whl
      • tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

Publish Date: 2023-05-25

URL: CVE-2023-28370

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-05-25

Fix Resolution (tornado): 6.3.2

Direct dependency fix Resolution (ipywidgets): 8.0.7

Step up your Open Source Security Game with Mend here

WS-2023-0296

Vulnerable Library - tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Library home page: https://files.pythonhosted.org/packages/19/bb/b6c3d1668d2b10ad38a584f3a1ec9737984e274f8b708e09fcbb96427f5c/tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /docker/conda/environments/requirements.txt

Path to vulnerable library: /docker/conda/environments/requirements.txt,/docs/requirements.txt

Dependency Hierarchy:

  • ipywidgets-8.0.6-py3-none-any.whl (Root Library)
    • ipykernel-6.16.2-py3-none-any.whl
      • tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

Tornado vulnerable to HTTP request smuggling via improper parsing of Content-Length fields and chunk lengths

Publish Date: 2023-08-15

URL: WS-2023-0296

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qppv-j76h-2rpx

Release Date: 2023-08-15

Fix Resolution (tornado): 6.3.3

Direct dependency fix Resolution (ipywidgets): 8.0.7

Step up your Open Source Security Game with Mend here

torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl: 3 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Tensors and Dynamic neural networks in Python with strong GPU acceleration

Library home page: https://files.pythonhosted.org/packages/00/86/77a9eddbf46f1bca2468d16a401911f58917f95b63402d6a7a4522521e5d/torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/dfp-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/dfp-models/requirements.txt,/models/validation-inference-scripts/dfp-models/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (torch version) Remediation Possible**
CVE-2024-31584 High 7.5 torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl Direct 2.2.0
CVE-2024-31583 High 7.5 torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl Direct 2.2.0
CVE-2024-31580 High 7.5 torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl Direct 2.2.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-31584

Vulnerable Library - torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Tensors and Dynamic neural networks in Python with strong GPU acceleration

Library home page: https://files.pythonhosted.org/packages/00/86/77a9eddbf46f1bca2468d16a401911f58917f95b63402d6a7a4522521e5d/torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/dfp-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/dfp-models/requirements.txt,/models/validation-inference-scripts/dfp-models/requirements.txt

Dependency Hierarchy:

  • torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via the component torch/csrc/jit/mobile/flatbuffer_loader.cpp.

Publish Date: 2024-04-19

URL: CVE-2024-31584

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-31584

Release Date: 2024-04-19

Fix Resolution: 2.2.0

Step up your Open Source Security Game with Mend here

CVE-2024-31583

Vulnerable Library - torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Tensors and Dynamic neural networks in Python with strong GPU acceleration

Library home page: https://files.pythonhosted.org/packages/00/86/77a9eddbf46f1bca2468d16a401911f58917f95b63402d6a7a4522521e5d/torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/dfp-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/dfp-models/requirements.txt,/models/validation-inference-scripts/dfp-models/requirements.txt

Dependency Hierarchy:

  • torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpreter.cpp.

Publish Date: 2024-04-17

URL: CVE-2024-31583

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-31583

Release Date: 2024-04-17

Fix Resolution: 2.2.0

Step up your Open Source Security Game with Mend here

CVE-2024-31580

Vulnerable Library - torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Tensors and Dynamic neural networks in Python with strong GPU acceleration

Library home page: https://files.pythonhosted.org/packages/00/86/77a9eddbf46f1bca2468d16a401911f58917f95b63402d6a7a4522521e5d/torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/dfp-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/dfp-models/requirements.txt,/models/validation-inference-scripts/dfp-models/requirements.txt

Dependency Hierarchy:

  • torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

PyTorch before v2.2.0 was discovered to contain a heap buffer overflow vulnerability in the component /runtime/vararg_functions.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.

Publish Date: 2024-04-17

URL: CVE-2024-31580

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-31580

Release Date: 2024-04-17

Fix Resolution: 2.2.0

Step up your Open Source Security Game with Mend here

numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl: 1 vulnerabilities (highest severity is: 5.3)

Vulnerable Library - numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/6d/ad/ff3b21ebfe79a4d25b4a4f8e5cf9fd44a204adb6b33c09010f566f51027a/numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /docker/conda/environments/requirements.txt

Path to vulnerable library: /docker/conda/environments/requirements.txt,/models/training-tuning-scripts/abp-models/requirements.txt,/models/validation-inference-scripts/log-parsing-models/requirements.txt,/models/validation-inference-scripts/phishing-models/requirements.txt,/models/training-tuning-scripts/abp-models/requirements.txt,/models/training-tuning-scripts/root-cause-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/models/validation-inference-scripts/abp-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/log-parsing-models/requirements.txt,/models/training-tuning-scripts/sid-models/requirements.txt,/models/validation-inference-scripts/root-cause-models/requirements.txt,/models/training-tuning-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/abp-models/requirements.txt,/models/validation-inference-scripts/phishing-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/training-tuning-scripts/sid-models/requirements.txt,/models/validation-inference-scripts/dfp-models/requirements.txt,/models/validation-inference-scripts/dfp-models/requirements.txt,/models/training-tuning-scripts/ransomware-models/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (numpy version) Remediation Possible**
CVE-2021-34141 Medium 5.3 numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl Direct 1.22.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-34141

Vulnerable Library - numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/6d/ad/ff3b21ebfe79a4d25b4a4f8e5cf9fd44a204adb6b33c09010f566f51027a/numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /docker/conda/environments/requirements.txt

Path to vulnerable library: /docker/conda/environments/requirements.txt,/models/training-tuning-scripts/abp-models/requirements.txt,/models/validation-inference-scripts/log-parsing-models/requirements.txt,/models/validation-inference-scripts/phishing-models/requirements.txt,/models/training-tuning-scripts/abp-models/requirements.txt,/models/training-tuning-scripts/root-cause-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/models/validation-inference-scripts/abp-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/log-parsing-models/requirements.txt,/models/training-tuning-scripts/sid-models/requirements.txt,/models/validation-inference-scripts/root-cause-models/requirements.txt,/models/training-tuning-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/abp-models/requirements.txt,/models/validation-inference-scripts/phishing-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/training-tuning-scripts/sid-models/requirements.txt,/models/validation-inference-scripts/dfp-models/requirements.txt,/models/validation-inference-scripts/dfp-models/requirements.txt,/models/training-tuning-scripts/ransomware-models/requirements.txt

Dependency Hierarchy:

  • numpy-1.21.6-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."

Publish Date: 2021-12-17

URL: CVE-2021-34141

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141

Release Date: 2021-12-17

Fix Resolution: 1.22.0

Step up your Open Source Security Game with Mend here

protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Protocol Buffers

Library home page: https://files.pythonhosted.org/packages/21/9b/258771d72fd2cf27eed3cfea1fc957a12666ccde394b294ac563fca23f2d/protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/dfp-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/dfp-models/requirements.txt,/models/validation-inference-scripts/dfp-models/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (protobuf version) Remediation Available
CVE-2022-1941 High 7.5 protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl Direct 3.20.2

Details

CVE-2022-1941

Vulnerable Library - protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Protocol Buffers

Library home page: https://files.pythonhosted.org/packages/21/9b/258771d72fd2cf27eed3cfea1fc957a12666ccde394b294ac563fca23f2d/protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /models/validation-inference-scripts/dfp-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/dfp-models/requirements.txt,/models/validation-inference-scripts/dfp-models/requirements.txt

Dependency Hierarchy:

  • protobuf-3.20.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Publish Date: 2022-09-22

URL: CVE-2022-1941

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8gq9-2x98-w8hf

Release Date: 2022-09-22

Fix Resolution: 3.20.2

Step up your Open Source Security Game with Mend here

sympy-1.10.1-py3-none-any.whl: 1 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - sympy-1.10.1-py3-none-any.whl

Computer algebra system (CAS) in Python

Library home page: https://files.pythonhosted.org/packages/d0/04/66be21ceb305c66a4b326b0ae44cc4f027a43bc08cac204b48fb45bb3653/sympy-1.10.1-py3-none-any.whl

Path to dependency file: /models/validation-inference-scripts/phishing-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/phishing-models/requirements.txt,/models/validation-inference-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/phishing-models/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (sympy version) Remediation Possible**
WS-2023-0180 Critical 9.8 sympy-1.10.1-py3-none-any.whl Direct sympy - 1.12

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2023-0180

Vulnerable Library - sympy-1.10.1-py3-none-any.whl

Computer algebra system (CAS) in Python

Library home page: https://files.pythonhosted.org/packages/d0/04/66be21ceb305c66a4b326b0ae44cc4f027a43bc08cac204b48fb45bb3653/sympy-1.10.1-py3-none-any.whl

Path to dependency file: /models/validation-inference-scripts/phishing-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/phishing-models/requirements.txt,/models/validation-inference-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/phishing-models/requirements.txt

Dependency Hierarchy:

  • sympy-1.10.1-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

XML External Entity (XXE) injection in sympy in sympy/sympy

Publish Date: 2023-03-29

URL: WS-2023-0180

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/692bf03d-973b-4fbc-b9e4-dd158bdd422b/

Release Date: 2023-03-29

Fix Resolution: sympy - 1.12

Step up your Open Source Security Game with Mend here

transformers-4.22.2-py3-none-any.whl: 4 vulnerabilities (highest severity is: 8.8)

Vulnerable Library - transformers-4.22.2-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/b1/7a/60a226cb857bb7e4c3c8ceaf7035b6618e5cec8056426fbd0a914a70f2b1/transformers-4.22.2-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/log-parsing-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/log-parsing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/validation-inference-scripts/log-parsing-models/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (transformers version) Remediation Possible**
CVE-2023-6730 High 8.8 transformers-4.22.2-py3-none-any.whl Direct 4.36.0
CVE-2023-7018 High 7.8 transformers-4.22.2-py3-none-any.whl Direct 4.36.0
CVE-2023-2800 Medium 4.7 transformers-4.22.2-py3-none-any.whl Direct 4.30.1
CVE-2024-3568 Low 3.4 transformers-4.22.2-py3-none-any.whl Direct 4.38.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-6730

Vulnerable Library - transformers-4.22.2-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/b1/7a/60a226cb857bb7e4c3c8ceaf7035b6618e5cec8056426fbd0a914a70f2b1/transformers-4.22.2-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/log-parsing-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/log-parsing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/validation-inference-scripts/log-parsing-models/requirements.txt

Dependency Hierarchy:

  • transformers-4.22.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Publish Date: 2023-12-19

URL: CVE-2023-6730

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16/

Release Date: 2023-12-19

Fix Resolution: 4.36.0

Step up your Open Source Security Game with Mend here

CVE-2023-7018

Vulnerable Library - transformers-4.22.2-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/b1/7a/60a226cb857bb7e4c3c8ceaf7035b6618e5cec8056426fbd0a914a70f2b1/transformers-4.22.2-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/log-parsing-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/log-parsing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/validation-inference-scripts/log-parsing-models/requirements.txt

Dependency Hierarchy:

  • transformers-4.22.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Publish Date: 2023-12-20

URL: CVE-2023-7018

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-7018

Release Date: 2023-12-20

Fix Resolution: 4.36.0

Step up your Open Source Security Game with Mend here

CVE-2023-2800

Vulnerable Library - transformers-4.22.2-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/b1/7a/60a226cb857bb7e4c3c8ceaf7035b6618e5cec8056426fbd0a914a70f2b1/transformers-4.22.2-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/log-parsing-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/log-parsing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/validation-inference-scripts/log-parsing-models/requirements.txt

Dependency Hierarchy:

  • transformers-4.22.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.

Publish Date: 2023-05-18

URL: CVE-2023-2800

CVSS 3 Score Details (4.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a/

Release Date: 2023-05-18

Fix Resolution: 4.30.1

Step up your Open Source Security Game with Mend here

CVE-2024-3568

Vulnerable Library - transformers-4.22.2-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/b1/7a/60a226cb857bb7e4c3c8ceaf7035b6618e5cec8056426fbd0a914a70f2b1/transformers-4.22.2-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/log-parsing-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/log-parsing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/validation-inference-scripts/log-parsing-models/requirements.txt

Dependency Hierarchy:

  • transformers-4.22.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the load_repo_checkpoint() function of the TFPreTrainedModel() class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of pickle.load() on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.

Publish Date: 2024-04-10

URL: CVE-2024-3568

CVSS 3 Score Details (3.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-3568

Release Date: 2024-04-10

Fix Resolution: 4.38.0

Step up your Open Source Security Game with Mend here

certifi-2023.5.7-py3-none-any.whl: 1 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - certifi-2023.5.7-py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/9d/19/59961b522e6757f0c9097e4493fa906031b95b3ebe9360b2c3083561a6b4/certifi-2023.5.7-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/models/training-tuning-scripts/log-parsing-models/requirements.txt,/models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/training-tuning-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/log-parsing-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/docs/requirements.txt,/docker/conda/environments/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (certifi version) Remediation Possible**
CVE-2023-37920 Critical 9.8 certifi-2023.5.7-py3-none-any.whl Direct 2023.7.22

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-37920

Vulnerable Library - certifi-2023.5.7-py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/9d/19/59961b522e6757f0c9097e4493fa906031b95b3ebe9360b2c3083561a6b4/certifi-2023.5.7-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/models/training-tuning-scripts/log-parsing-models/requirements.txt,/models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/training-tuning-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/log-parsing-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/docs/requirements.txt,/docker/conda/environments/requirements.txt

Dependency Hierarchy:

  • certifi-2023.5.7-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

Publish Date: 2023-07-25

URL: CVE-2023-37920

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xqr8-7jwr-rhp7

Release Date: 2023-07-25

Fix Resolution: 2023.7.22

Step up your Open Source Security Game with Mend here

urllib3-2.0.2-py3-none-any.whl: 2 vulnerabilities (highest severity is: 8.1)

Vulnerable Library - urllib3-2.0.2-py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/4b/1d/f8383ef593114755429c307449e7717b87044b3bcd5f7860b89b1f759e34/urllib3-2.0.2-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/root-cause-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/log-parsing-models/requirements.txt,/docker/conda/environments/requirements.txt,/models/training-tuning-scripts/root-cause-models/requirements.txt,/models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/training-tuning-scripts/log-parsing-models/requirements.txt,/models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/docs/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (urllib3 version) Remediation Possible**
CVE-2023-43804 High 8.1 urllib3-2.0.2-py3-none-any.whl Direct 2.0.6
CVE-2023-45803 Medium 4.2 urllib3-2.0.2-py3-none-any.whl Direct 2.0.7

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-43804

Vulnerable Library - urllib3-2.0.2-py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/4b/1d/f8383ef593114755429c307449e7717b87044b3bcd5f7860b89b1f759e34/urllib3-2.0.2-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/root-cause-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/log-parsing-models/requirements.txt,/docker/conda/environments/requirements.txt,/models/training-tuning-scripts/root-cause-models/requirements.txt,/models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/training-tuning-scripts/log-parsing-models/requirements.txt,/models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/docs/requirements.txt

Dependency Hierarchy:

  • urllib3-2.0.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Publish Date: 2023-10-04

URL: CVE-2023-43804

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804

Release Date: 2023-10-04

Fix Resolution: 2.0.6

Step up your Open Source Security Game with Mend here

CVE-2023-45803

Vulnerable Library - urllib3-2.0.2-py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/4b/1d/f8383ef593114755429c307449e7717b87044b3bcd5f7860b89b1f759e34/urllib3-2.0.2-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/root-cause-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/log-parsing-models/requirements.txt,/docker/conda/environments/requirements.txt,/models/training-tuning-scripts/root-cause-models/requirements.txt,/models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/training-tuning-scripts/log-parsing-models/requirements.txt,/models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/docs/requirements.txt

Dependency Hierarchy:

  • urllib3-2.0.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST) to GET as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False and disable automatic redirects with redirects=False and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.

Publish Date: 2023-10-17

URL: CVE-2023-45803

CVSS 3 Score Details (4.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Adjacent
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g4mx-q9vg-27p4

Release Date: 2023-10-17

Fix Resolution: 2.0.7

Step up your Open Source Security Game with Mend here

requests-2.30.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - requests-2.30.0-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/96/80/034ffeca15c0f4e01b7b9c6ad0fb704b44e190cde4e757edbd60be404c41/requests-2.30.0-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/root-cause-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/root-cause-models/requirements.txt,/docs/requirements.txt,/docker/conda/environments/requirements.txt,/models/training-tuning-scripts/log-parsing-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/log-parsing-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/sid-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/training-tuning-scripts/root-cause-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (requests version) Remediation Possible**
CVE-2023-32681 Medium 6.1 requests-2.30.0-py3-none-any.whl Direct requests -2.31.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-32681

Vulnerable Library - requests-2.30.0-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/96/80/034ffeca15c0f4e01b7b9c6ad0fb704b44e190cde4e757edbd60be404c41/requests-2.30.0-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/root-cause-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/root-cause-models/requirements.txt,/docs/requirements.txt,/docker/conda/environments/requirements.txt,/models/training-tuning-scripts/log-parsing-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/log-parsing-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/sid-models/requirements.txt,/tmp/ws-scm/Morpheus,/models/training-tuning-scripts/root-cause-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt,/models/training-tuning-scripts/sid-models/requirements.txt,/models/training-tuning-scripts/phishing-models/requirements.txt

Dependency Hierarchy:

  • requests-2.30.0-py3-none-any.whl (Vulnerable Library)

Found in base branch: branch-23.03

Vulnerability Details

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuild_proxies to reattach the Proxy-Authorization header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

Publish Date: 2023-05-26

URL: CVE-2023-32681

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j8r2-6x86-q33q

Release Date: 2023-05-26

Fix Resolution: requests -2.31.0

Step up your Open Source Security Game with Mend here

tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl: 99 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/47/30/7d3ba75c6c3b44d458d40622c6cc0695b08d5bcdde999bd2102362eac68c/tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (tensorflow version) Remediation Possible**
CVE-2023-25668 Critical 9.8 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct 2.11.1
CVE-2023-25664 Critical 9.8 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct 2.11.1
CVE-2022-41900 Critical 9.8 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-35939 Critical 9.8 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-41910 Critical 9.1 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-41902 Critical 9.1 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-41880 Critical 9.1 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-35938 Critical 9.1 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35937 Critical 9.1 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-41894 High 8.1 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
WS-2022-0401 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct 2.9.3
CVE-2023-25676 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25675 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25674 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25673 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25672 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25671 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct 2.11.1
CVE-2023-25670 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25669 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25667 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25665 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct 2.11.1
CVE-2023-25663 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25662 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25660 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25659 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2023-25658 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
CVE-2022-41911 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct 2.9.3
CVE-2022-41909 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-41908 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1,2.11.0;tensorflow-cpu - 2.8.4,2.9.3,2.10.1,2.11.0;tensorflow-gpu - 2.8.4,2.9.3,2.10.1,2.11.0
CVE-2022-41907 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct GHSA-368v-7v32-52fx
CVE-2022-41901 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-41899 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct GHSA-27rc-728f-x5w2
CVE-2022-41898 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-41897 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct GHSA-f2w8-jw48-fr7j
CVE-2022-41896 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct GHSA-rmg2-f698-wq35
CVE-2022-41895 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-41893 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1
CVE-2022-41891 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct GHSA-66vq-54fq-6jvv
CVE-2022-41889 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-41888 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-41887 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct 2.9.3
CVE-2022-41886 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-41885 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct 2.9.1
CVE-2022-41884 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
CVE-2022-36027 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36026 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36019 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36018 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36017 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36016 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36015 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36014 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct 2.9.1
CVE-2022-36013 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct 2.9.1
CVE-2022-36012 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36011 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36005 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36004 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36003 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36002 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36001 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-36000 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35999 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35998 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35997 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35996 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35995 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35994 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35993 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35992 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35991 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35989 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35988 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35987 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35986 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35985 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35984 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35983 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35982 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35981 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35979 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35974 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35973 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35972 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35971 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35970 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35969 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35968 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35967 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35966 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35965 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35963 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35960 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35959 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35952 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35941 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct 2.9.1
CVE-2022-35940 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35935 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2022-35934 High 7.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0
CVE-2023-25661 Medium 6.5 tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Direct 2.11.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (8 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2023-25668

Vulnerable Library - tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/47/30/7d3ba75c6c3b44d458d40622c6cc0695b08d5bcdde999bd2102362eac68c/tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

TensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25668

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gw97-ff7c-9v96

Release Date: 2023-03-25

Fix Resolution: 2.11.1

Step up your Open Source Security Game with Mend here

CVE-2023-25664

Vulnerable Library - tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/47/30/7d3ba75c6c3b44d458d40622c6cc0695b08d5bcdde999bd2102362eac68c/tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a heap buffer overflow in TAvgPoolGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25664

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6hg6-5c2q-7rcr

Release Date: 2023-03-25

Fix Resolution: 2.11.1

Step up your Open Source Security Game with Mend here

CVE-2022-41900

Vulnerable Library - tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/47/30/7d3ba75c6c3b44d458d40622c6cc0695b08d5bcdde999bd2102362eac68c/tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow 2.10.1.

Publish Date: 2022-11-18

URL: CVE-2022-41900

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvwp-h6jv-7472

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1

Step up your Open Source Security Game with Mend here

CVE-2022-35939

Vulnerable Library - tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/47/30/7d3ba75c6c3b44d458d40622c6cc0695b08d5bcdde999bd2102362eac68c/tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

TensorFlow is an open source platform for machine learning. The ScatterNd function takes an input argument that determines the indices of of the output tensor. An input index greater than the output tensor or less than zero will either write content at the wrong index or trigger a crash. We have patched the issue in GitHub commit b4d4b4cb019bd7240a52daa4ba61e3cc814f0384. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Publish Date: 2022-09-16

URL: CVE-2022-35939

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-ffjm-4qwc-7cmf

Release Date: 2022-09-16

Fix Resolution: tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0

Step up your Open Source Security Game with Mend here

CVE-2022-41910

Vulnerable Library - tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/47/30/7d3ba75c6c3b44d458d40622c6cc0695b08d5bcdde999bd2102362eac68c/tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

TensorFlow is an open source platform for machine learning. The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. We have patched the issue in GitHub commit a65411a1d69edfb16b25907ffb8f73556ce36bb7. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.8.4, 2.9.3, and 2.10.1.

Publish Date: 2022-12-06

URL: CVE-2022-41910

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-frqp-wp83-qggv

Release Date: 2022-09-30

Fix Resolution: tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1

Step up your Open Source Security Game with Mend here

CVE-2022-41902

Vulnerable Library - tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/47/30/7d3ba75c6c3b44d458d40622c6cc0695b08d5bcdde999bd2102362eac68c/tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

TensorFlow is an open source platform for machine learning. The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. We have patched the issue in GitHub commit a65411a1d69edfb16b25907ffb8f73556ce36bb7. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.8.4, 2.9.3, and 2.10.1.

Publish Date: 2022-12-06

URL: CVE-2022-41902

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cg88-rpvp-cjv5

Release Date: 2022-09-30

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-41880

Vulnerable Library - tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/47/30/7d3ba75c6c3b44d458d40622c6cc0695b08d5bcdde999bd2102362eac68c/tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

TensorFlow is an open source platform for machine learning. When the BaseCandidateSamplerOp function receives a value in true_classes larger than range_max, a heap oob read occurs. We have patched the issue in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41880

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41880

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-35938

Vulnerable Library - tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/47/30/7d3ba75c6c3b44d458d40622c6cc0695b08d5bcdde999bd2102362eac68c/tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • tensorflow-2.9.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

TensorFlow is an open source platform for machine learning. The GatherNd function takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. This issue has been patched in GitHub commit 4142e47e9e31db481781b955ed3ff807a781b494. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Publish Date: 2022-09-16

URL: CVE-2022-35938

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3m3g-pf5v-5hpj

Release Date: 2022-09-16

Fix Resolution: tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0

Step up your Open Source Security Game with Mend here

jupyterlab-3.6.3-py3-none-any.whl: 4 vulnerabilities (highest severity is: 6.5)

Vulnerable Library - jupyterlab-3.6.3-py3-none-any.whl

JupyterLab computational environment

Library home page: https://files.pythonhosted.org/packages/b7/d3/6cb05493e97f2ad7e10ae251597f54e4d224bafd6220501601063b237839/jupyterlab-3.6.3-py3-none-any.whl

Path to dependency file: /docker/conda/environments/requirements.txt

Path to vulnerable library: /docker/conda/environments/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jupyterlab version) Remediation Possible**
CVE-2024-22421 Medium 6.5 jupyterlab-3.6.3-py3-none-any.whl Direct 3.6.7
CVE-2023-40170 Medium 6.1 jupyter_server-1.24.0-py3-none-any.whl Transitive 3.6.4
CVE-2023-39968 Medium 6.1 jupyter_server-1.24.0-py3-none-any.whl Transitive 3.6.4
CVE-2023-49080 Medium 4.3 jupyter_server-1.24.0-py3-none-any.whl Transitive 3.6.4

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-22421

Vulnerable Library - jupyterlab-3.6.3-py3-none-any.whl

JupyterLab computational environment

Library home page: https://files.pythonhosted.org/packages/b7/d3/6cb05493e97f2ad7e10ae251597f54e4d224bafd6220501601063b237839/jupyterlab-3.6.3-py3-none-any.whl

Path to dependency file: /docker/conda/environments/requirements.txt

Path to vulnerable library: /docker/conda/environments/requirements.txt

Dependency Hierarchy:

  • jupyterlab-3.6.3-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade jupyter-server to version 2.7.2 or newer which includes a redirect vulnerability fix.

Publish Date: 2024-01-19

URL: CVE-2024-22421

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-22421

Release Date: 2024-01-19

Fix Resolution: 3.6.7

Step up your Open Source Security Game with Mend here

CVE-2023-40170

Vulnerable Library - jupyter_server-1.24.0-py3-none-any.whl

The backend—i.e. core services, APIs, and REST endpoints—to Jupyter web applications.

Library home page: https://files.pythonhosted.org/packages/5b/ce/142bcb35ffe215d8880e968689ab733bd7976a6c20dae24b6782cce2219a/jupyter_server-1.24.0-py3-none-any.whl

Path to dependency file: /docker/conda/environments/requirements.txt

Path to vulnerable library: /docker/conda/environments/requirements.txt

Dependency Hierarchy:

  • jupyterlab-3.6.3-py3-none-any.whl (Root Library)
    • jupyter_server-1.24.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on /files/ URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit 87a49272728 which has been included in release 2.7.2. Users are advised to upgrade. Users unable to upgrade may use the lower performance --ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler, which implements the correct checks.

Publish Date: 2023-08-28

URL: CVE-2023-40170

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-40170

Release Date: 2023-08-28

Fix Resolution (jupyter-server): 2.7.2

Direct dependency fix Resolution (jupyterlab): 3.6.4

Step up your Open Source Security Game with Mend here

CVE-2023-39968

Vulnerable Library - jupyter_server-1.24.0-py3-none-any.whl

The backend—i.e. core services, APIs, and REST endpoints—to Jupyter web applications.

Library home page: https://files.pythonhosted.org/packages/5b/ce/142bcb35ffe215d8880e968689ab733bd7976a6c20dae24b6782cce2219a/jupyter_server-1.24.0-py3-none-any.whl

Path to dependency file: /docker/conda/environments/requirements.txt

Path to vulnerable library: /docker/conda/environments/requirements.txt

Dependency Hierarchy:

  • jupyterlab-3.6.3-py3-none-any.whl (Root Library)
    • jupyter_server-1.24.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit 29036259 which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2023-08-28

URL: CVE-2023-39968

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-39968

Release Date: 2023-08-28

Fix Resolution (jupyter-server): 2.7.2

Direct dependency fix Resolution (jupyterlab): 3.6.4

Step up your Open Source Security Game with Mend here

CVE-2023-49080

Vulnerable Library - jupyter_server-1.24.0-py3-none-any.whl

The backend—i.e. core services, APIs, and REST endpoints—to Jupyter web applications.

Library home page: https://files.pythonhosted.org/packages/5b/ce/142bcb35ffe215d8880e968689ab733bd7976a6c20dae24b6782cce2219a/jupyter_server-1.24.0-py3-none-any.whl

Path to dependency file: /docker/conda/environments/requirements.txt

Path to vulnerable library: /docker/conda/environments/requirements.txt

Dependency Hierarchy:

  • jupyterlab-3.6.3-py3-none-any.whl (Root Library)
    • jupyter_server-1.24.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. Unhandled errors in API requests coming from an authenticated user include traceback information, which can include path information. There is no known mechanism by which to trigger these errors without authentication, so the paths revealed are not considered particularly sensitive, given that the requesting user has arbitrary execution permissions already in the same environment. A fix has been introduced in commit 0056c3aa52 which no longer includes traceback information in JSON error responses. For compatibility, the traceback field is present, but always empty. This commit has been included in version 2.11.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2023-12-04

URL: CVE-2023-49080

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-49080

Release Date: 2023-12-04

Fix Resolution (jupyter-server): 2.11.2

Direct dependency fix Resolution (jupyterlab): 3.6.4

Step up your Open Source Security Game with Mend here

urllib3-1.26.15-py2.py3-none-any.whl: 2 vulnerabilities (highest severity is: 8.1)

Vulnerable Library - urllib3-1.26.15-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/7b/f5/890a0baca17a61c1f92f72b81d3c31523c99bec609e60c292ea55b387ae8/urllib3-1.26.15-py2.py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (urllib3 version) Remediation Possible**
CVE-2023-43804 High 8.1 urllib3-1.26.15-py2.py3-none-any.whl Direct 1.26.17
CVE-2023-45803 Medium 4.2 urllib3-1.26.15-py2.py3-none-any.whl Direct 1.26.18

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-43804

Vulnerable Library - urllib3-1.26.15-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/7b/f5/890a0baca17a61c1f92f72b81d3c31523c99bec609e60c292ea55b387ae8/urllib3-1.26.15-py2.py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • urllib3-1.26.15-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Publish Date: 2023-10-04

URL: CVE-2023-43804

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804

Release Date: 2023-10-04

Fix Resolution: 1.26.17

Step up your Open Source Security Game with Mend here

CVE-2023-45803

Vulnerable Library - urllib3-1.26.15-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/7b/f5/890a0baca17a61c1f92f72b81d3c31523c99bec609e60c292ea55b387ae8/urllib3-1.26.15-py2.py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • urllib3-1.26.15-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST) to GET as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False and disable automatic redirects with redirects=False and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.

Publish Date: 2023-10-17

URL: CVE-2023-45803

CVSS 3 Score Details (4.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Adjacent
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g4mx-q9vg-27p4

Release Date: 2023-10-17

Fix Resolution: 1.26.18

Step up your Open Source Security Game with Mend here

mpmath-1.2.1-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - mpmath-1.2.1-py3-none-any.whl

Python library for arbitrary-precision floating-point arithmetic

Library home page: https://files.pythonhosted.org/packages/d4/cf/3965bddbb4f1a61c49aacae0e78fd1fe36b5dc36c797b31f30cf07dcbbb7/mpmath-1.2.1-py3-none-any.whl

Path to dependency file: /models/validation-inference-scripts/root-cause-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/phishing-models/requirements.txt,/models/validation-inference-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/phishing-models/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (mpmath version) Remediation Available
CVE-2021-29063 High 7.5 mpmath-1.2.1-py3-none-any.whl Direct N/A

Details

CVE-2021-29063

Vulnerable Library - mpmath-1.2.1-py3-none-any.whl

Python library for arbitrary-precision floating-point arithmetic

Library home page: https://files.pythonhosted.org/packages/d4/cf/3965bddbb4f1a61c49aacae0e78fd1fe36b5dc36c797b31f30cf07dcbbb7/mpmath-1.2.1-py3-none-any.whl

Path to dependency file: /models/validation-inference-scripts/root-cause-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/phishing-models/requirements.txt,/models/validation-inference-scripts/root-cause-models/requirements.txt,/models/validation-inference-scripts/phishing-models/requirements.txt

Dependency Hierarchy:

  • mpmath-1.2.1-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Mpmath v1.0.0 through v1.2.1 when the mpmathify function is called.
Mend Note: After conducting further research, Mend has determined that all versions of mpmath through 1.2.1 are vulnerable to CVE-2021-29063.

Publish Date: 2021-06-21

URL: CVE-2021-29063

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

fonttools-4.38.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - fonttools-4.38.0-py3-none-any.whl

Tools to manipulate font files

Library home page: https://files.pythonhosted.org/packages/e3/d9/e9bae85e84737e76ebbcbea13607236da0c0699baed0ae4f1151b728a608/fonttools-4.38.0-py3-none-any.whl

Path to dependency file: /models/validation-inference-scripts/dfp-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/dfp-models/requirements.txt,/models/training-tuning-scripts/ransomware-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (fonttools version) Remediation Possible**
CVE-2023-45139 High 7.5 fonttools-4.38.0-py3-none-any.whl Direct 4.43.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-45139

Vulnerable Library - fonttools-4.38.0-py3-none-any.whl

Tools to manipulate font files

Library home page: https://files.pythonhosted.org/packages/e3/d9/e9bae85e84737e76ebbcbea13607236da0c0699baed0ae4f1151b728a608/fonttools-4.38.0-py3-none-any.whl

Path to dependency file: /models/validation-inference-scripts/dfp-models/requirements.txt

Path to vulnerable library: /models/validation-inference-scripts/dfp-models/requirements.txt,/models/training-tuning-scripts/ransomware-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • fonttools-4.38.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.

Publish Date: 2024-01-10

URL: CVE-2023-45139

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6673-4983-2vx5

Release Date: 2024-01-10

Fix Resolution: 4.43.0

Step up your Open Source Security Game with Mend here

myst_parser-0.17.2-py3-none-any.whl: 1 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - myst_parser-0.17.2-py3-none-any.whl

Path to dependency file: /docs/requirements.txt

Path to vulnerable library: /docker/conda/environments/requirements.txt,/docs/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (myst_parser version) Remediation Possible**
CVE-2024-22195 Medium 6.1 Jinja2-3.1.2-py3-none-any.whl Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-22195

Vulnerable Library - Jinja2-3.1.2-py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/bc/c3/f068337a370801f372f2f8f6bad74a5c140f6fda3d9de154052708dd3c65/Jinja2-3.1.2-py3-none-any.whl

Path to dependency file: /docker/conda/environments/requirements.txt

Path to vulnerable library: /docker/conda/environments/requirements.txt,/docs/requirements.txt

Dependency Hierarchy:

  • myst_parser-0.17.2-py3-none-any.whl (Root Library)
    • Jinja2-3.1.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja xmlattr filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

Publish Date: 2024-01-11

URL: CVE-2024-22195

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h5c8-rqwp-cp95

Release Date: 2024-01-11

Fix Resolution: jinja2 - 3.1.3

Step up your Open Source Security Game with Mend here

Werkzeug-2.2.3-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - Werkzeug-2.2.3-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/f6/f8/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f/Werkzeug-2.2.3-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Werkzeug version) Remediation Possible**
CVE-2023-46136 High 7.5 Werkzeug-2.2.3-py3-none-any.whl Direct werkzeug - 2.3.8,3.0.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-46136

Vulnerable Library - Werkzeug-2.2.3-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/f6/f8/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f/Werkzeug-2.2.3-py3-none-any.whl

Path to dependency file: /models/training-tuning-scripts/fraud-detection-models/requirements.txt

Path to vulnerable library: /models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt,/models/training-tuning-scripts/fraud-detection-models/requirements.txt,/models/validation-inference-scripts/fraud-detection-models/requirements.txt

Dependency Hierarchy:

  • Werkzeug-2.2.3-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.

Publish Date: 2023-10-25

URL: CVE-2023-46136

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hrfv-mqp8-q5rw

Release Date: 2023-10-25

Fix Resolution: werkzeug - 2.3.8,3.0.1

Step up your Open Source Security Game with Mend here

ipython-7.34.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.0)

Vulnerable Library - ipython-7.34.0-py3-none-any.whl

IPython: Productive Interactive Computing

Library home page: https://files.pythonhosted.org/packages/7c/6a/1f1365f4bf9fcb349fcaa5b61edfcefa721aa13ff37c5631296b12fab8e5/ipython-7.34.0-py3-none-any.whl

Path to dependency file: /docker/conda/environments/requirements.txt

Path to vulnerable library: /docker/conda/environments/requirements.txt,/docs/requirements.txt

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (ipython version) Remediation Possible**
CVE-2023-24816 High 7.0 ipython-7.34.0-py3-none-any.whl Direct 8.10.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-24816

Vulnerable Library - ipython-7.34.0-py3-none-any.whl

IPython: Productive Interactive Computing

Library home page: https://files.pythonhosted.org/packages/7c/6a/1f1365f4bf9fcb349fcaa5b61edfcefa721aa13ff37c5631296b12fab8e5/ipython-7.34.0-py3-none-any.whl

Path to dependency file: /docker/conda/environments/requirements.txt

Path to vulnerable library: /docker/conda/environments/requirements.txt,/docs/requirements.txt

Dependency Hierarchy:

  • ipython-7.34.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 42a2d393427e16f1b80a5df9fe14a37d045088ad

Found in base branch: branch-23.03

Vulnerability Details

IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function IPython.utils.terminal.set_term_title be called on Windows in a Python environment where ctypes is not available. The dependency on ctypes in IPython.utils._process_win32 prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool set_term_title could be called and hence introduce a vulnerability. Should an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. Users of ipython as a library are advised to upgrade. Users unable to upgrade should ensure that any calls to the IPython.utils.terminal.set_term_title function are done with trusted or filtered input.

Publish Date: 2023-02-10

URL: CVE-2023-24816

CVSS 3 Score Details (7.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-24816

Release Date: 2023-02-10

Fix Resolution: 8.10.0

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.