Lucene search

GoogleOSV:GHSA-RC39-G977-687W

HistoryNov 10, 2022 - 9:27 p.m.

Use of unclaimed s3 bucket in tests and examples

2022-11-1021:27:55

Google

osv.dev

unclaimed s3 bucket

nlp examples

patched

upgrade

snapshots

vulnerability

workaround

download

word2vec

google news

vector

new source

git lfs

software

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

34.3%

JSON

Impact

People who use some older NLP examples that reference the old S3 bucket.

Patches

The problem has been patched. Upgrade to snapshots for now. A release will be published later to address this due to the vulnerability mostly being examples and 1 class in the actual code base.

Workarounds

Download a word2vec google news vector from a new source using git lfs

References

github.com/deeplearning4j/deeplearning4j

github.com/deeplearning4j/deeplearning4j/security/advisories/GHSA-rc39-g977-687w

github.com/eclipse/deeplearning4j/security/advisories/GHSA-rc39-g977-687w

github.com/mmihaltz/word2vec-GoogleNews-vectors

nvd.nist.gov/vuln/detail/CVE-2022-36022

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

34.3%

JSON

Related for OSV:GHSA-RC39-G977-687W