GHSA-HW6R-G8GJ-2987 Actions expression injection in `filter-test-configs` (`GHSL-2023-181`)

The pytorch/pytorch filter-test-configs workflow is vulnerable to an expression injection in Actions, allowing an attacker to potentially leak secrets and alter the repository using the workflow. Details The filter-test-configs workflow is using the raw github.event.workflowrun.headbranch value...

Actions expression injection in `filter-test-configs` (`GHSL-2023-181`)

The pytorch/pytorch filter-test-configs workflow is vulnerable to an expression injection in Actions, allowing an attacker to potentially leak secrets and alter the repository using the workflow. Details The filter-test-configs workflow is using the raw github.event.workflowrun.headbranch value...

PT-2023-33030 · Facebook · Pytorch

Name of the Vulnerable Software and Affected Versions: pytorch/pytorch affected versions not specified Description: The filter-test-configs workflow in pytorch/pytorch is vulnerable to an expression injection in Actions. This allows an attacker to potentially leak secrets and alter the repository...

a2 (>=0.1.0 <=0.3.17), abnativ (>=1.1.0 <=1.2.9) +332 more potentially affected by CVE-2023-4033 via mlflow (>=0.8.2 <=2.5.0)

mlflow PYPI version =0.8.2, =0.1.0, =1.1.0, =0.0.5, =0.1.0, =0.1.0, =1.7.0, =1.7.0, =1.8.0, =1.7.0, =1.7.0, =0.1.1, =0.1.5 - anovos =1.1.0 - apache-submarine =0.6.0 and more Source cves: CVE-2023-4033 Source advisory: OSV:PYSEC-2023-280...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an arbitrary code execution in PyTorch [CVE-2022-45907]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an arbitrary code execution in PyTorch, a flaw in the orch.jit.annotations.parsetypeline function. CVE-2022-45907. PyTorch is included as part of our speech service runtimes. This vulnerabilitiy has been...

Malicious code in pygame-pytorch (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis c104a6d866e764da7907147cd7def349f360987498156433ef1e11bf4ac2263c The OpenSSF Package Analysis project identified 'pygame-pytorch' @ 3.4.19 pypi as malicious. It is considered malicious because: - The package...

MAL-2023-1391 Malicious code in pygame-pytorch (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis c104a6d866e764da7907147cd7def349f360987498156433ef1e11bf4ac2263c The OpenSSF Package Analysis project identified 'pygame-pytorch' @ 3.4.19 pypi as malicious. It is considered malicious because: - The package...

Malicious code in pytorch-pandas (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 21d9172520d87343cf043969211d79bebee861c010da78f947a6464d138a78eb The OpenSSF Package Analysis project identified 'pytorch-pandas' @ 14.19.3 pypi as malicious. It is considered malicious because: - The package...

MAL-2023-1396 Malicious code in pytorch-pandas (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 21d9172520d87343cf043969211d79bebee861c010da78f947a6464d138a78eb The OpenSSF Package Analysis project identified 'pytorch-pandas' @ 14.19.3 pypi as malicious. It is considered malicious because: - The package...

MAL-2023-1397 Malicious code in pytorch-pygame (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 9b4d07e646a51314cbd80fbeca6a94710d46a4d72598742c1ba79008e84d2822 The OpenSSF Package Analysis project identified 'pytorch-pygame' @ 0.6.19 pypi as malicious. It is considered malicious because: - The package...

Malicious code in pytorch-pygame (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 9b4d07e646a51314cbd80fbeca6a94710d46a4d72598742c1ba79008e84d2822 The OpenSSF Package Analysis project identified 'pytorch-pygame' @ 0.6.19 pypi as malicious. It is considered malicious because: - The package...

Security Bulletin: PyTorch is vulnerable to CVE-2022-45907 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses PyTorch which is vulnerable to CVE-2022-21271. Vulnerability Details CVEID:CVE-2022-45907 DESCRIPTION: PyTorch could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the...

CBL Mariner 2.0 Security Update: pytorch (CVE-2022-25882)

The version of pytorch installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-25882 advisory. - Versions of the package onnx before 1.13.0 are vulnerable to Directory Traversal as the externaldata field ...

CVE-2022-25882 affecting package pytorch for versions less than 2.0.0-1

CVE-2022-25882 affecting package pytorch for versions less than 2.0.0-1. An upgraded version of the package is available that resolves this issue...

Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

Summary Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. Angular is part of the .NET RHEL infrastructure CVE-2021-4231. Apache UIMA is used by IBM Robotic Process Automation as part of Watson NLP CVE-2022-32287. SnakeYaml is used by IBM Robotic Process...

MAL-2023-2135 Malicious code in pytorrch (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 0a84c67aa31019373608b435abcc2b7e711922cd739b58ad641f63ad27c9e8f9 Attacker distributed 900+ malicious packages via PyPi, infecting local browsers with malicious extension to manipulate clipboard and replace crypto wallet...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to arbitrary code execution due to [CVE-2022-45907]

Summary PyTorch is used by IBM App Connect Enterprise Certified Container for mapping assistance. IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to arbitrary code execution. This bulletin provides patch information to addres...

AZL-25854 CVE-2022-25882 affecting package pytorch for versions less than 2.0.0-1

Versions of the package onnx before 1.13.0 are vulnerable to Directory Traversal as the externaldata field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory, for example "../../../etc/passwd"...

Threat Source newsletter (Jan. 5, 2023): Digging out of our inboxes

Happy New Year and welcome to this weeks edition of the Threat Source newsletter. We cant tell if its the fog from Lurenes deadly eggnog or dare we say pure rest and relaxation but were still digging out of our inboxes, trying to remember logins, and circle back on all the things we prolonged int...

Malicious PyTorch dependency 'torchtriton' on PyPI: everything you need to know

The developers of PyTorch a popular machine-learning framework recently identified a malicious dependency confusion attack on the open-source project. Security teams are advised to check for infected resources and rotate any exposed keys...