Source
ghsa
### Impact When converting transposed convolutions using per-channel weight quantization the converter segfaults and crashes the Python process. ```python import tensorflow as tf class QuantConv2DTransposed(tf.keras.layers.Layer): def build(self, input_shape): self.kernel = self.add_weight("kernel", [3, 3, input_shape[-1], 24]) def call(self, inputs): filters = tf.quantization.fake_quant_with_min_max_vars_per_channel( self.kernel, -3.0 * tf.ones([24]), 3.0 * tf.ones([24]), narrow_range=True ) filters = tf.transpose(filters, (0, 1, 3, 2)) return tf.nn.conv2d_transpose(inputs, filters, [*inputs.shape[:-1], 24], 1) inp = tf.keras.Input(shape=(6, 8, 48), batch_size=1) x = tf.quantization.fake_quant_with_min_max_vars(inp, -3.0, 3.0, narrow_range=True) x = QuantConv2DTransposed()(x) x = tf.quantization.fake_quant_with_min_max_vars(x, -3.0, 3.0, narrow_range=True) model = tf.keras.Model(inp, x) model.save("/tmp/testing") convert...
### Impact SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a seconday authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes that can be used instead of the TOTP. In SFTPGo versions from v2.2.0 to v2.3.3 recovery codes can be generated before enabling two-factor authentication. An attacker who knows the user's password could potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time. ### Patches Fixed in v2.3.4. Recovery codes can now only be generated after enabling two-factor authentication and are deleted after disabling it. ### Workarounds Regenerate recovery codes after enabling two-factor authentication. ### References https://github.com/drakkan/sftpgo/issues/965
### Impact It's possible to perform a CSRF attack for adding or removing tags on XWiki pages. ### Patches The problem has been patched in XWiki 13.10.5 and 14.3. ### Workarounds It's possible to fix the issue without upgrading by locally modifying the documentTags.vm template in your filesystem, to apply the changes exposed there: https://github.com/xwiki/xwiki-platform/commit/7ca56e40cf79a468cea54d3480b6b403f259f9ae. ### References https://jira.xwiki.org/browse/XWIKI-19550 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [security ML](mailto:[email protected])
### Impact The [`ScatterNd`](https://github.com/tensorflow/tensorflow/blob/266558ac4c1f361e9a178ee9d3f0ce2e648ae499/tensorflow/lite/kernels/internal/reference/reference_ops.h#L659-L698) function takes an input argument that determines the indices of of the output tensor. An input index greater than the output tensor or less than zero will either write content at the wrong index or trigger a crash. ### Patches We have patched the issue in GitHub commit [b4d4b4cb019bd7240a52daa4ba61e3cc814f0384](https://github.com/tensorflow/tensorflow/commit/b4d4b4cb019bd7240a52daa4ba61e3cc814f0384). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with i...
### Impact The [`GatherNd`](https://github.com/tensorflow/tensorflow/blob/f463040eb3997e42e60a2ffc6dc72de7ef11dbb4/tensorflow/lite/kernels/gather_nd.cc#L105-L111) function takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read is triggered. ### Patches We have patched the issue in GitHub commit [595a65a3e224a0362d7e68c2213acfc2b499a196](https://github.com/tensorflow/tensorflow/commit/595a65a3e224a0362d7e68c2213acfc2b499a196). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. ### Attribution This vu...
This issue and vector is similar to [RUSTSEC-2020-0029] of `rgb` crate which `mozjpeg` depends on. Affected versions of `mozjpeg` crate allow creating instances of any type `T` from bytes, and do not correctly constrain `T` to the types for which it is safe to do so. Examples of safety violation possible for a type `T`: * `T` contains a reference type, and it constructs a pointer to an invalid, arbitrary memory address. * `T` requires a safety and/or validity invariant for its construction that may be violated. The issue was fixed in 0.8.19 by using safer types and involving `rgb` dependency bump. [RUSTSEC-2020-0029]: https://rustsec.org/advisories/RUSTSEC-2020-0029.html
The maintainer has adviced this crate is deprecated and will not receive any maintenance. The crate does not seem to have much dependencies and may or may not be ok to use as-is. Last release seems to have been three years ago.
### Impact The request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID. ### Patches We recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-15 For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022
### Impact - Attacker providing malicious redirect uri can cause DoS to oauthlib's web application. - Attacker can also leverage usage of `uri_validate` functions depending where it is used. _What kind of vulnerability is it? Who is impacted?_ Oauthlib applications using OAuth2.0 provider support or use directly `uri_validate` function. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Issue fixed in 3.2.1 release. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ The `redirect_uri` can be verified in web toolkit (i.e `bottle-oauthlib`, `django-oauth-toolkit`, ...) before oauthlib is called. A sample check if `:` is present to reject the request can prevent the DoS, assuming no port or IPv6 is fundamentally required. ### References Attack Vector: - Attacker providing malicious redirect uri: https://github.com/oauthlib/oauthlib/blob/d4bafd9f1d0eba3766e933b1ac598cbbf37b8914/oauthlib/oauth2/rfc6749/gran...
### Impact If backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. ### Patches We recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-15 For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022