Lucene search

GitHub Advisory DatabaseGHSA-RC39-G977-687W

HistoryNov 10, 2022 - 9:27 p.m.

Use of unclaimed s3 bucket in tests and examples

2022-11-1021:27:55

CWE-330

CWE-344

GitHub Advisory Database

github.com

s3 bucket

nlp

upgrade

vulnerability

examples

word2vec

git lfs

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

34.3%

JSON

Impact

People who use some older NLP examples that reference the old S3 bucket.

Patches

The problem has been patched. Upgrade to snapshots for now. A release will be published later to address this due to the vulnerability mostly being examples and 1 class in the actual code base.

Workarounds

Download a word2vec google news vector from a new source using git lfs

Affected configurations

Vulners

Node

org.deeplearning4j\dl4jMatchexamples

org.deeplearning4j\platformMatchtests

CPENameOperatorVersion
org.deeplearning4j:dl4j-examplesle1.0.0-M2.1
org.deeplearning4j:platform-testsle1.0.0-M2.1

CPE	Name	Operator	Version
	org.deeplearning4j:dl4j-examples	le	1.0.0-M2.1
	org.deeplearning4j:platform-tests	le	1.0.0-M2.1

References

github.com/advisories/GHSA-rc39-g977-687w

github.com/deeplearning4j/deeplearning4j/security/advisories/GHSA-rc39-g977-687w

github.com/eclipse/deeplearning4j/security/advisories/GHSA-rc39-g977-687w

github.com/mmihaltz/word2vec-GoogleNews-vectors

nvd.nist.gov/vuln/detail/CVE-2022-36022

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

34.3%

JSON

Related for GHSA-RC39-G977-687W