bert_score-0.3.13-py3-none-any.whl: 12 vulnerabilities (highest severity is: 8.8) #7
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /packages/bert/requirements.txt
Path to vulnerable library: /packages/bert/requirements.txt
Found in HEAD commit: 3451649bf624f0b8b92a9b75009c77beb787a890
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - transformers-4.30.2-py3-none-any.whl
State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Library home page: https://files.pythonhosted.org/packages/5b/0b/e45d26ccd28568013523e04f325432ea88a442b4e3020b757cf4361f0120/transformers-4.30.2-py3-none-any.whl
Path to dependency file: /packages/bert/requirements.txt
Path to vulnerable library: /packages/bert/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 3451649bf624f0b8b92a9b75009c77beb787a890
Found in base branch: main
Vulnerability Details
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
Publish Date: 2023-12-19
URL: CVE-2023-6730
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16/
Release Date: 2023-12-19
Fix Resolution: transformers - 4.36.0
Vulnerable Library - Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/2c/a2/2d565cb1d754384a88998b9c86daf803a3a7908577875231eb99b8c7973d/Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl
Path to dependency file: /packages/bert/requirements.txt
Path to vulnerable library: /packages/bert/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 3451649bf624f0b8b92a9b75009c77beb787a890
Found in base branch: main
Vulnerability Details
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
Publish Date: 2024-01-19
URL: CVE-2023-50447
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2024/01/20/1
Release Date: 2024-01-19
Fix Resolution: pillow - 10.2.0
Vulnerable Library - transformers-4.30.2-py3-none-any.whl
State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Library home page: https://files.pythonhosted.org/packages/5b/0b/e45d26ccd28568013523e04f325432ea88a442b4e3020b757cf4361f0120/transformers-4.30.2-py3-none-any.whl
Path to dependency file: /packages/bert/requirements.txt
Path to vulnerable library: /packages/bert/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 3451649bf624f0b8b92a9b75009c77beb787a890
Found in base branch: main
Vulnerability Details
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
Publish Date: 2023-12-20
URL: CVE-2023-7018
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-7018
Release Date: 2023-12-20
Fix Resolution: transformers - 4.36.0
Vulnerable Library - torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/00/86/77a9eddbf46f1bca2468d16a401911f58917f95b63402d6a7a4522521e5d/torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /packages/bert/requirements.txt
Path to vulnerable library: /packages/bert/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 3451649bf624f0b8b92a9b75009c77beb787a890
Found in base branch: main
Vulnerability Details
Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via the component torch/csrc/jit/mobile/flatbuffer_loader.cpp.
Publish Date: 2024-04-19
URL: CVE-2024-31584
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-31584
Release Date: 2024-04-19
Fix Resolution: torch - 2.2.0
Vulnerable Library - torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/00/86/77a9eddbf46f1bca2468d16a401911f58917f95b63402d6a7a4522521e5d/torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /packages/bert/requirements.txt
Path to vulnerable library: /packages/bert/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 3451649bf624f0b8b92a9b75009c77beb787a890
Found in base branch: main
Vulnerability Details
Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpreter.cpp.
Publish Date: 2024-04-17
URL: CVE-2024-31583
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-31583
Release Date: 2024-04-17
Fix Resolution: torch - 2.2.0
Vulnerable Library - torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/00/86/77a9eddbf46f1bca2468d16a401911f58917f95b63402d6a7a4522521e5d/torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /packages/bert/requirements.txt
Path to vulnerable library: /packages/bert/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 3451649bf624f0b8b92a9b75009c77beb787a890
Found in base branch: main
Vulnerability Details
PyTorch before v2.2.0 was discovered to contain a heap buffer overflow vulnerability in the component /runtime/vararg_functions.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
Publish Date: 2024-04-17
URL: CVE-2024-31580
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-31580
Release Date: 2024-04-17
Fix Resolution: torch - 2.2.0
Vulnerable Library - fonttools-4.38.0-py3-none-any.whl
Tools to manipulate font files
Library home page: https://files.pythonhosted.org/packages/e3/d9/e9bae85e84737e76ebbcbea13607236da0c0699baed0ae4f1151b728a608/fonttools-4.38.0-py3-none-any.whl
Path to dependency file: /packages/bert/requirements.txt
Path to vulnerable library: /packages/bert/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 3451649bf624f0b8b92a9b75009c77beb787a890
Found in base branch: main
Vulnerability Details
fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.
Publish Date: 2024-01-10
URL: CVE-2023-45139
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-6673-4983-2vx5
Release Date: 2024-01-10
Fix Resolution: fonttools - 4.43.0
Vulnerable Library - Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/2c/a2/2d565cb1d754384a88998b9c86daf803a3a7908577875231eb99b8c7973d/Pillow-9.5.0-cp37-cp37m-manylinux_2_28_x86_64.whl
Path to dependency file: /packages/bert/requirements.txt
Path to vulnerable library: /packages/bert/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 3451649bf624f0b8b92a9b75009c77beb787a890
Found in base branch: main
Vulnerability Details
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
Publish Date: 2023-11-03
URL: CVE-2023-44271
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2023-11-03
Fix Resolution: Pillow - 10.0.0
Vulnerable Library - setuptools-68.0.0-py3-none-any.whl
Easily download, build, install, upgrade, and uninstall Python packages
Library home page: https://files.pythonhosted.org/packages/c7/42/be1c7bbdd83e1bfb160c94b9cafd8e25efc7400346cf7ccdbdb452c467fa/setuptools-68.0.0-py3-none-any.whl
Path to dependency file: /packages/bert/requirements.txt
Path to vulnerable library: /packages/bert/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 3451649bf624f0b8b92a9b75009c77beb787a890
Found in base branch: main
Vulnerability Details
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
Publish Date: 2024-07-15
URL: CVE-2024-6345
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-6345
Release Date: 2024-07-15
Fix Resolution: setuptools - 70.0.0
Vulnerable Library - torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/00/86/77a9eddbf46f1bca2468d16a401911f58917f95b63402d6a7a4522521e5d/torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /packages/bert/requirements.txt
Path to vulnerable library: /packages/bert/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 3451649bf624f0b8b92a9b75009c77beb787a890
Found in base branch: main
Vulnerability Details
A vulnerability in the PyTorch's torch.distributed.rpc framework, specifically in versions prior to 2.2.2, allows for remote code execution (RCE). The framework, which is used in distributed training scenarios, does not properly verify the functions being called during RPC (Remote Procedure Call) operations. This oversight permits attackers to execute arbitrary commands by leveraging built-in Python functions such as eval during multi-cpu RPC communication. The vulnerability arises from the lack of restriction on function calls when a worker node serializes and sends a PythonUDF (User Defined Function) to the master node, which then deserializes and executes the function without validation. This flaw can be exploited to compromise master nodes initiating distributed training, potentially leading to the theft of sensitive AI-related data.
Publish Date: 2024-06-06
URL: CVE-2024-5480
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Vulnerable Library - urllib3-2.0.7-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/d2/b2/b157855192a68541a91ba7b2bbcb91f1b4faa51f8bae38d8005c034be524/urllib3-2.0.7-py3-none-any.whl
Path to dependency file: /packages/bert/requirements.txt
Path to vulnerable library: /packages/bert/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 3451649bf624f0b8b92a9b75009c77beb787a890
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with
ProxyManager, theProxy-Authorizationheader is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure theProxy-Authorizationheader even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat theProxy-AuthorizationHTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip theProxy-Authorizationheader during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of theProxy-Authorizationheader, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting theProxy-Authorizationheader without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use theProxy-Authorizationheader with urllib3'sProxyManager, disable HTTP redirects usingredirects=Falsewhen sending requests, or not user theProxy-Authorizationheader as mitigations.Publish Date: 2024-06-17
URL: CVE-2024-37891
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-34jh-p97f-mpxf
Release Date: 2024-06-17
Fix Resolution: urllib3 - 1.26.19,2.2.2
Vulnerable Library - transformers-4.30.2-py3-none-any.whl
State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Library home page: https://files.pythonhosted.org/packages/5b/0b/e45d26ccd28568013523e04f325432ea88a442b4e3020b757cf4361f0120/transformers-4.30.2-py3-none-any.whl
Path to dependency file: /packages/bert/requirements.txt
Path to vulnerable library: /packages/bert/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 3451649bf624f0b8b92a9b75009c77beb787a890
Found in base branch: main
Vulnerability Details
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the
load_repo_checkpoint()function of theTFPreTrainedModel()class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use ofpickle.load()on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.Publish Date: 2024-04-10
URL: CVE-2024-3568
CVSS 3 Score Details (3.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-3568
Release Date: 2024-04-10
Fix Resolution: transformers - 4.38
The text was updated successfully, but these errors were encountered: