Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-6wfh-89q8-44jq: TensorFlow has null dereference on ParallelConcat with XLA

### Impact When running with XLA, `tf.raw_ops.ParallelConcat` segfaults with a nullptr dereference when given a parameter `shape` with rank that is not greater than zero. ```python import tensorflow as tf func = tf.raw_ops.ParallelConcat para = {'shape': 0, 'values': [1]} @tf.function(jit_compile=True) def test(): y = func(**para) return y test() ``` ### Patches We have patched the issue in GitHub commit [da66bc6d5ff466aee084f9e7397980a24890cd15](https://github.com/tensorflow/tensorflow/commit/da66bc6d5ff466aee084f9e7397980a24890cd15). The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. ### Attribution This vulnerability has been reported by r3pwnx of 360 AIVul Team

ghsa
#vulnerability#git
GHSA-f49c-87jh-g47q: TensorFlow has double free in Fractional(Max/Avg)Pool

### Impact `nn_ops.fractional_avg_pool_v2` and `nn_ops.fractional_max_pool_v2` require the first and fourth elements of their parameter `pooling_ratio` to be equal to 1.0, as pooling on batch and channel dimensions is not supported. ```python import tensorflow as tf import os import numpy as np from tensorflow.python.ops import nn_ops try: arg_0_tensor = tf.random.uniform([3, 30, 50, 3], dtype=tf.float64) arg_0 = tf.identity(arg_0_tensor) arg_1_0 = 2 arg_1_1 = 3 arg_1_2 = 1 arg_1_3 = 1 arg_1 = [arg_1_0,arg_1_1,arg_1_2,arg_1_3,] arg_2 = True arg_3 = True seed = 341261001 out = nn_ops.fractional_avg_pool_v2(arg_0,arg_1,arg_2,arg_3,seed=seed,) except Exception as e: print("Error:"+str(e)) ``` ### Patches We have patched the issue in GitHub commit [ee50d1e00f81f62a4517453f721c634bbb478307](https://github.com/tensorflow/tensorflow/commit/ee50d1e00f81f62a4517453f721c634bbb478307). The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on T...

GHSA-5w96-866f-6rm8: TensorFlow has Floating Point Exception in TFLite in conv kernel

### Impact Constructing a tflite model with a paramater `filter_input_channel` of less than 1 gives a FPE. ### Patches We have patched the issue in GitHub commit [34f8368c535253f5c9cb3a303297743b62442aaa](https://github.com/tensorflow/tensorflow/commit/34f8368c535253f5c9cb3a303297743b62442aaa). The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. ### Attribution This vulnerability was reported by Wang Xuan of Qihoo 360 AIVul Team.

GHSA-68v3-g9cm-rmm6: TensorFlow vulnerable to Out-of-Bounds Read in GRUBlockCellGrad

### Impact Out of bounds read in GRUBlockCellGrad ```python func = tf.raw_ops.GRUBlockCellGrad para = {'x': [[21.1, 156.2], [83.3, 115.4]], 'h_prev': array([[136.5], [136.6]]), 'w_ru': array([[26.7, 0.8], [47.9, 26.1], [26.2, 26.3]]), 'w_c': array([[ 0.4], [31.5], [ 0.6]]), 'b_ru': array([0.1, 0.2 ], dtype=float32), 'b_c': 0x41414141, 'r': array([[0.3], [0.4]], dtype=float32), 'u': array([[5.7], [5.8]]), 'c': array([[52.9], [53.1]]), 'd_h': array([[172.2], [188.3 ]])} ``` ### Patches We have patched the issue in GitHub commit [ff459137c2716a2a60f7d441b855fcb466d778cb](https://github.com/tensorflow/tensorflow/commit/ff459137c2716a2a60f7d441b855fcb466d778cb). The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1 ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security...

GHSA-948f-j464-rfj2: Moodle may allow students to bypass sequential navigation during a quiz attempt

In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.

GHSA-g8xm-p2h4-v6jp: OpenShift Assisted Installer leaks image pull secrets as plaintext in installation logs

A vulnerability was found in OpenShift Assisted Installer. During generation of the Discovery ISO, image pull secrets were leaked as plaintext in the installation logs. An authenticated user could exploit this by re-using the image pull secret to pull container images from the registry as the associated user.

GHSA-c25x-cm9x-qqgx: Deno improperly handles resizable ArrayBuffer

### Impact [Resizable ArrayBuffers](https://github.com/tc39/proposal-resizablearraybuffer) passed to asynchronous native functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not affected. ### Patches The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. Deno 1.32.2 will re-enable resizable ArrayBuffers with a proper fix. ### Workarounds Upgrade to Deno 1.32.1, or run with `--v8-flags=--no-harmony-rab-gsab` to disable resizable ArrayBuffers.

GHSA-564r-hj7v-mcr5: Spring Framework vulnerable to denial of service via specially crafted SpEL expression

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

GHSA-r47r-87p9-8jh3: Spring Vault vulnerable to insertion of sensitive information into a log file

In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token.

GHSA-vj5p-fp42-774p: Moodle may display roles to users who don't have access to them

The course participation report required additional checks to prevent roles being displayed which the user did not have access to view.