paddlepaddle@2.3.2 vulnerabilities

Parallel Distributed Deep Learning

latest version

2.6.1
first published

4 years ago
latest version published

2 months ago
licenses detected
- Apache-2.0
  [0,)
View paddlepaddle package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the paddlepaddle package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M External Control of File Name or Path paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to External Control of File Name or Path due to improper handling of external input through `paddle.vision.ops.read_file`. An attacker can achieve data exfiltration or cause a partial impact on data integrity by injecting malicious input. How to fix External Control of File Name or Path? There is no fixed version for `paddlepaddle`.	[0,)
C Path Traversal paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to Path Traversal due to improper limitation of a pathname to a restricted directory. An attacker can overwrite arbitrary files by submitting a crafted input containing "../" sequences to traverse directories. Notes: On servers that have SSH enabled, an attacker may be able to inject their own public RSA key into the `authorized_keys` file, leading to remote code execution. On servers hosting web servers, various vulnerabilities can be exploited. On PHP or JSP server, remote code execution may be possible via uploading a webshell. On other servers an HTML file can be uploaded to achieve Cross-site Scripting (XSS) Being able to overwrite files can also lead to impact in terms of availability. Overwriting configuration files, source code, and such may cause the server to not function properly anymore. How to fix Path Traversal? Upgrade `paddlepaddle` to version 2.6.1 or higher.	[,2.6.1)
C Command Injection paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to Command Injection due to improper validation of user-supplied input in the `IrGraph.draw` method. An attacker can execute arbitrary commands on the system by injecting malicious commands into the method's input parameters. How to fix Command Injection? Upgrade `paddlepaddle` to version 2.6.1 or higher.	[,2.6.1)
C OS Command Injection paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to OS Command Injection due to improper input validation in the `paddle.utils.download._wget_download` function. An attacker can execute arbitrary commands by crafting malicious input that bypasses the filter. Note: Depending on the context in which this code is used, this could lead to unauthorized access, data loss, or other potentially harmful consequences. How to fix OS Command Injection? Upgrade `paddlepaddle` to version 2.6.1 or higher.	[,2.6.1)
C Code Injection paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to Code Injection due to improper validation of user-supplied input. An attacker can execute arbitrary code on the system by sending a crafted request. How to fix Code Injection? Upgrade `paddlepaddle` to version 2.6.1 or higher.	[,2.6.1)
C Improper Control of Generation of Code ('Code Injection') paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via the `_wget_download` function, due to the url parameter being incorporated into the command string without proper validation or sanitization. An attacker can execute arbitrary code by injecting malicious input into the code generation routine. How to fix Improper Control of Generation of Code ('Code Injection')? Upgrade `paddlepaddle` to version 2.6.0 or higher.	[,2.6.0)
M Divide By Zero paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to Divide By Zero via the`paddle.linalg.matrix_rank` function, when x dim calculates `rows` or `cols` to 0. An attacker can cause a runtime crash. How to fix Divide By Zero? Upgrade `paddlepaddle` to version 2.6.0 or higher.	[,2.6.0)
C OS Command Injection paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to OS Command Injection via the `convert_shape_compare` function. An attacker can execute arbitrary commands on the operating system by supplying malicious input. How to fix OS Command Injection? Upgrade `paddlepaddle` to version 2.6.0 or higher.	[,2.6.0)
C OS Command Injection paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to OS Command Injection via the `_wget_download` function. An attacker can execute arbitrary commands on the operating system by injecting malicious input into the function. How to fix OS Command Injection? Upgrade `paddlepaddle` to version 2.6.0 or higher.	[,2.6.0)
H Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') via the `paddle.linalg.lu_unpack` function. An attacker can cause a denial of service or potentially execute arbitrary code by providing specially crafted input to trigger this vulnerability. How to fix Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')? Upgrade `paddlepaddle` to version 2.6.0 or higher.	[,2.6.0)
C OS Command Injection paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to OS Command Injection via the `get_online_pass_interval` function. An attacker can execute arbitrary commands on the operating system by supplying malicious input. How to fix OS Command Injection? Upgrade `paddlepaddle` to version 2.6.0 or higher.	[,2.6.0)
H Use After Free paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to Use After Free in `paddle.diagonal`. How to fix Use After Free? Upgrade `paddlepaddle` to version 2.5.0rc0 or higher.	[,2.5.0rc0)
H NULL Pointer Dereference paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to NULL Pointer Dereference in the `PyObject_CheckLongOrToLong()` function used by `paddle.flip`, which can cause a segmentation fault and crash. How to fix NULL Pointer Dereference? Upgrade `paddlepaddle` to version 2.5.0rc0 or higher.	[,2.5.0rc0)
H Heap-based Buffer Overflow paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to Heap-based Buffer Overflow in `paddle.trace`, which can lead to denial of service, information disclosure, or other impacts. How to fix Heap-based Buffer Overflow? Upgrade `paddlepaddle` to version 2.5.0rc0 or higher.	[,2.5.0rc0)
M Denial of Service (DoS) paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to Denial of Service (DoS) due to a divide-by-zero exception in `paddle.linalg.matrix_power`, which can trigger a crash. How to fix Denial of Service (DoS)? Upgrade `paddlepaddle` to version 2.5.0rc0 or higher.	[,2.5.0rc0)
C Command Injection paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to Command Injection in `fs.py` via the `os.system` method. How to fix Command Injection? Upgrade `paddlepaddle` to version 2.5.0 or higher.	[,2.5.0)
H Out-of-bounds Read paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to Out-of-bounds Read due to the implementation of `GatherTreeKernel` which does not validate the `ids_dims` size which would result in a memory out-of-bounds read if the ids shape is invalid. How to fix Out-of-bounds Read? Upgrade `paddlepaddle` to version 2.4.0 or higher.	[0,2.4.0)
C Arbitrary Code Injection paddlepaddle is a Parallel Distributed Deep Learning Affected versions of this package are vulnerable to Arbitrary Code Injection via `paddle.audio.functional.get_window` because it calls `eval` on a user-supplied `winstr`. How to fix Arbitrary Code Injection? Upgrade `paddlepaddle` to version 2.4.0 or higher.	[,2.4.0)

Go back to all versions of this package

paddlepaddle@2.3.2 vulnerabilities

Parallel Distributed Deep Learning

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities