37 matches found
EUVD-2025-208848
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extractio...
EUVD-2021-0426
Malware in sbrugna...
EUVD-2021-0327
Malware in sbrugna...
EUVD-2022-6837
Malicious code in bioql PyPI...
EUVD-2022-3688
Malicious code in bioql PyPI...
EUVD-2023-1012
Malicious code in bioql PyPI...
EUVD-2022-6816
Malicious code in bioql PyPI...
CVE-2022-29192
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.rawops.QuantizeAndDequantizeV4Grad does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service...
Researchers Warn of Privilege Escalation Risks in Google's Vertex AI ML Platform
Cybersecurity researchers have disclosed two security flaws in Google's Vertex machine learning ML platform that, if successfully exploited, could allow malicious actors to escalate privileges and exfiltrate models from the cloud. "By exploiting custom job permissions, we were able to escalate ou...
BIT-TENSORFLOW-2021-29599 Division by zero in TFLite's implementation of `Split`
TensorFlow is an end-to-end open source platform for machine learning. The implementation of the Split TFLite operator is vulnerable to a division by zero errorhttps://github.com/tensorflow/tensorflow/blob/e2752089ef7ce9bcf3db0ec618ebd23ea119d0c7/tensorflow/lite/kernels/split.ccL63-L65. An attack...
Mlflow Code Issue Vulnerability
Mlflow is an open source platform for machine learning lifecycle. Mlflow suffers from a code issue vulnerability. An attacker exploiting this vulnerability could remotely execute code on a victim computer...
CVE-2023-30620 Arbitrary File Write when Extracting a Remotely retrieved Tarball in mindsdb/mindsdb
mindsdb is a Machine Learning platform to help developers build AI solutions. In affected versions an unsafe extraction is being performed using tarfile.extractall from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. Sometimes, the...
CVE-2022-23522
CVE-2022-23522 concerns MindsDB, where unsafe extraction via shutil.unpack_archive() from remotely retrieved tarballs may write files outside the intended directory (TarSlip/ZipSlip variant). The underlying issue: validating destination paths during archive extraction is insufficient, enabling cr...
CVE-2023-25676 TensorFlow has null dereference on ParallelConcat with XLA
TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, tf.rawops.ParallelConcat segfaults with a nullptr dereference when given a parameter shape with rank that is not greater than zero. A fix is available in TensorFlow 2.12.0 and 2.11.1...
CVE-2022-35992 `CHECK` fail in `TensorListFromTensor` in TensorFlow
TensorFlow is an open source platform for machine learning. When TensorListFromTensor receives an elementshape of a rank greater than one, it gives a CHECK fail that can trigger a denial of service attack. We have patched the issue in GitHub commit 3db59a042a38f4338aa207922fa2f476e000a6ee. The fi...
Google Tensorflow has an unspecified vulnerability (CNVD-2022-09895)
Google TensorFlow is an end-to-end open source platform for machine learning from Google, Inc...
CVE-2021-41223
TensorFlow is an open source platform for machine learning. In affected versions the implementation of FusedBatchNorm kernels is vulnerable to a heap OOB access. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow...
Heap overflow
TensorFlow is an open source platform for machine learning. In affected versions the implementation of SparseBinCount is vulnerable to a heap OOB access. This is because of missing validation between the elements of the values argument and the shape of the sparse output. The fix will be included ...
Google TensorFlow Dezero Error Vulnerability (CNVD-2021-64069)
Google TensorFlow, an end-to-end open source machine learning platform, is vulnerable to a divide by zero error in versions prior to Google TensorFlow 2.6.0. An attacker could exploit the vulnerability through a specially crafted parameter call in-place to cause a floating point exception, which...
Google TensorFlow Denial of Service Vulnerability (CNVD-2021-63076)
Google TensorFlow is an end-to-end open source machine learning platform. A security vulnerability exists in Google TensorFlow versions prior to 2.6.0. An attacker could exploit the vulnerability to cause a denial of service...