github-action-merge-dependabot 数据伪造问题漏洞

github-action-merge-dependabot is used to automatically approve and merge dependabot PRs. A security vulnerability exists in github-action-merge-dependabot versions prior to 3.2.0, which stems from the fact that it does not check whether commits created by dependabot are verified with the correct...

How Secrets Lurking in Source Code Lead to Major Breaches

If one word could sum up the 2021 infosecurity year well, actually three, it would be these: "supply chain attack". A software supply chain attack happens when hackers manipulate the code in third-party software components to compromise the 'downstream' applications that use them. In 2021, we hav...

RUSTSEC-2022-0031 Panic due to improper UTF-8 indexing

When parsing untrusted rulex expressions, rulex may panic, possibly enabling a Denial of Service attack. This happens when the expression contains a multi- byte UTF-8 code point in a string literal or after a backslash, because rulex tries to slice into the code point and panics as a result. The...

osbuild-composer bug fix and enhancement update

An update is available for osbuild-composer. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The osbuild-composer package is a service for building customized OS...

Important: Red Hat Security Advisory: kernel security, bug fix, and enhancement update

An update for kernel is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

CVE-2022-1193

Improper access control in GitLab CE/EE versions 10.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows a malicious actor to obtain details of the latest commit in a private project via Merge Requests under certain circumstances...

Octosuite - Advanced Github OSINT Framework

Simply gatherOSINT on Github users and organizations like a god  FEATURES Fetches organization info Fetches user info Fetches repository info Returns contents of a path from a repository Returns a list of repos owned by an organization Returns a list of repos owned by a user Returns a list of...

GHSA-JX8F-CPX7-FV47 Allocation of Resources Without Limits or Throttling in nvflare

Impact NVIDIA FLARE contains a vulnerability in Admin Interface, where an un-authorized attacker can cause Allocation of Resources Without Limits or Throttling, which may lead to cause system unavailable All versions before 2.0.16 are affected. Patches The patch will be included in nvflare==2.0.1...

Integer overflow in TFLite

Impact An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations: cc int embeddingsize = 1; int lookupsize = 1; for int i = 0; i data.i32i; lookupsize = dim; outputshape-datak = dim; for int i = 1; i datak = dim; Both embeddingsize and lookupsize are...

GHSA-98P5-X8X4-C9M5 Integer overflow in TFLite

Impact An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations: cc int embeddingsize = 1; int lookupsize = 1; for int i = 0; i data.i32i; lookupsize = dim; outputshape-datak = dim; for int i = 1; i datak = dim; Both embeddingsize and lookupsize are...

Integer overflows in Tensorflow

Impact The implementation of AddManySparseToTensorsMap is vulnerable to an integer overflow which results in a CHECK-fail when building new TensorShape objects so, an assert failure based denial of service: python import tensorflow as tf import numpy as np tf.rawops.AddManySparseToTensorsMap...

Out of bounds read in Tensorflow

Impact The TFG dialect of TensorFlow MLIR makes several assumptions about the incoming GraphDef before converting it to the MLIR-based dialect. If an attacker changes the SavedModel format on disk to invalidate these assumptions and the GraphDef is then converted to MLIR-based IR then they can...

Multiple `CHECK`-fails in `function.cc` in TensowFlow

Impact A malicious user can cause a denial of service by altering a SavedModel such that assertions in function.cc would be falsified and crash the Python interpreter. Patches We have patched the issue in GitHub commits dcc21c7bc972b10b6fb95c2fb0f4ab5a59680ec2 and...

`CHECK`-failures during Grappler's `IsSimplifiableReshape` in Tensorflow

Impact The Grappler optimizer in TensorFlow can be used to cause a denial of service by altering a SavedModel such that IsSimplifiableReshape would trigger CHECK failures. Patches We have patched the issue in GitHub commits ebc1a2ffe5a7573d905e99bd0ee3568ee07c12c1,...

CVE-2022-23590

Tensorflow is an Open Source Machine Learning Framework. A GraphDef from a TensorFlow SavedModel can be maliciously altered to cause a TensorFlow process to crash due to encountering a StatusOr value that is an error and forcibly extracting the value from it. We have patched the issue in multiple...

PYSEC-2022-88

Tensorflow is an Open Source Machine Learning Framework. The Grappler optimizer in TensorFlow can be used to cause a denial of service by altering a SavedModel such that SafeToRemoveIdentity would trigger CHECK failures. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this...

CVE-2022-23590 Crash due to erroneous `StatusOr` in Tensorflow

Tensorflow is an Open Source Machine Learning Framework. A GraphDef from a TensorFlow SavedModel can be maliciously altered to cause a TensorFlow process to crash due to encountering a StatusOr value that is an error and forcibly extracting the value from it. We have patched the issue in multiple...

CVE-2022-23590 Crash due to erroneous `StatusOr` in Tensorflow

Tensorflow is an Open Source Machine Learning Framework. A GraphDef from a TensorFlow SavedModel can be maliciously altered to cause a TensorFlow process to crash due to encountering a StatusOr value that is an error and forcibly extracting the value from it. We have patched the issue in multiple...

CVE-2022-23569

Tensorflow is an Open Source Machine Learning Framework. Multiple operations in TensorFlow can be used to trigger a denial of service via CHECK-fails i.e., assertion failures. This is similar to TFSA-2021-198 and has similar fixes. We have patched the reported issues in multiple GitHub commits. I...

Stack overflow

Tensorflow is an Open Source Machine Learning Framework. Multiple operations in TensorFlow can be used to trigger a denial of service via CHECK-fails i.e., assertion failures. This is similar to TFSA-2021-198 and has similar fixes. We have patched the reported issues in multiple GitHub commits. I...