keras@2.0.3 vulnerabilities
Multi-backend Keras.
-
latest version
3.6.0
-
latest non vulnerable version
-
first published
9 years ago
-
latest version published
2 months ago
-
licenses detected
- [0.2.0,2.5.0rc0)
Direct Vulnerabilities
Known vulnerabilities in the keras package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to Code Injection due to improper user input sanitization through the Lambda layer, allowing a developer to add arbitrary Python code to a model in the form of a lambda function. An attacker could use this feature to trojanize a popular model, save it, and redistribute it, tainting the supply chain of dependent AI/ML applications. In addition, exploiting this vulnerability allows arbitrary code to be executed with the same permissions as the application. Note If running pre-2.13 applications in a sandbox, ensure no assets of value are in scope of the running application to minimize the potential for data exfiltration. How to fix Code Injection? Upgrade |
[,2.13.1rc0)
|
keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. Loading keras models via yaml could allow arbitrary code execution via unsafe deserialization. How to fix Deserialization of Untrusted Data? Upgrade |
[,2.6.0rc3)
|