CVE-2023-46136 vulnerabilities

Vulnerabilities for packages: kubeflow-pipelines-visualization-server, kubeflow-volumes-web-app, py3-tensorflow-serving-api, py3-werkzeug, kubeflow-jupyter-web-app...

CVE-2023-46136 vulnerabilities

Vulnerabilities for packages: py3-werkzeug, kubeflow-volumes-web-app, airflow-core, kubeflow-jupyter-web-app, kubeflow-pipelines-visualization-server, py3-tensorflow-serving-api...

GHSA-HRFV-MQP8-Q5RW vulnerabilities

Vulnerabilities for packages: py3-werkzeug, kubeflow-volumes-web-app, airflow-core, kubeflow-jupyter-web-app, kubeflow-pipelines-visualization-server, py3-tensorflow-serving-api...

GHSA-HRFV-MQP8-Q5RW vulnerabilities

Vulnerabilities for packages: kubeflow-pipelines-visualization-server, kubeflow-volumes-web-app, py3-tensorflow-serving-api, py3-werkzeug, kubeflow-jupyter-web-app...

BIT-2020-15190

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the tf.rawops.Switch operation takes as input a tensor and a boolean and outputs two tensors. Depending on the boolean value, one of the tensors is exactly the input tensor whereas the other one should be an empty tensor. Howeve...

BIT-2020-15191

In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes an invalid argument to dlpack.todlpack the expected validations will cause variables to bind to nullptr while setting a status variable to the error condition. However, this status argument is not properly checked. Hence, code...

BIT-2020-15192

In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes a list of strings to dlpack.todlpack there is a memory leak following an expected validation failure. The issue occurs because the status argument during validation failures is not properly checked. Since each of the above methods ca...

BIT-2020-15193

In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of dlpack.todlpack can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing ...

BIT-2020-15194

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the SparseFillEmptyRowsGrad implementation has incomplete validation of the shapes of its arguments. Although reverseindexmapt and gradvaluest are accessed in a similar pattern, only reverseindexmapt is validated to be of proper...

BIT-2020-15195

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the implementation of SparseFillEmptyRowsGrad uses a double indexing pattern. It is possible for reverseindexmapi to be an index outside of bounds of gradvalues, thus resulting in a heap buffer overflow. The issue is patched in...

BIT-2020-15196

In Tensorflow version 2.3.0, the SparseCountSparseOutput and RaggedCountSparseOutput implementations don't validate that the weights tensor has the same shape as the data. The check exists for DenseCountSparseOutput, where both tensors are fully specified. In the sparse and ragged count weights a...

BIT-2020-15197

In Tensorflow before version 2.3.1, the SparseCountSparseOutput implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the indices tensor has rank 2. This tensor must be a matrix because code assumes its elements are access...

AZL-37886 CVE-2023-38545 affecting package tensorflow for versions less than 2.16.1-1

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host na...

AZL-38099 CVE-2023-38546 affecting package tensorflow for versions less than 2.16.1-1

This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a functio...

GHSA-G4MX-Q9VG-27P4 vulnerabilities

Vulnerabilities for packages: py3-cassandra-medusa, kubeflow-volumes-web-app, py3-tensorflow-serving-api, az, jwt-tool, kubeflow-katib, py3-pipenv, kubeflow-jupyter-web-app...

GHSA-G4MX-Q9VG-27P4 vulnerabilities

Vulnerabilities for packages: py3.13-scanner-test-libraries, py3.11-pytorch-cuda-12.3, py3.11-torchvision-cuda-12.3, py3-pipenv, jwt-tool, py3-tensorflow-serving-api, nvidia-nsight-compute-13.1, kubeflow-volumes-web-app, py3-cassandra-medusa, py3.11-torchvision-cuda-11.8, kubeflow-katib,...

CVE-2023-45803 vulnerabilities

Vulnerabilities for packages: py3.13-scanner-test-libraries, py3.11-pytorch-cuda-12.3, py3.11-torchvision-cuda-12.3, py3-pipenv, jwt-tool, py3-tensorflow-serving-api, nvidia-nsight-compute-13.1, kubeflow-volumes-web-app, py3-cassandra-medusa, py3.11-torchvision-cuda-11.8, kubeflow-katib,...

CVE-2023-45803 vulnerabilities

Vulnerabilities for packages: py3-cassandra-medusa, kubeflow-volumes-web-app, py3-tensorflow-serving-api, az, jwt-tool, kubeflow-katib, py3-pipenv, kubeflow-jupyter-web-app...

CVE-2023-25660 affecting package tensorflow for versions less than 2.11.1-1

CVE-2023-25660 affecting package tensorflow for versions less than 2.11.1-1. A patched version of the package is available...

CVE-2023-25658 affecting package tensorflow for versions less than 2.11.1-1

CVE-2023-25658 affecting package tensorflow for versions less than 2.11.1-1. A patched version of the package is available...