Homepage
About Snyk

paddlepaddle@2.5.0 vulnerabilities

Parallel Distributed Deep Learning

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the paddlepaddle package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
External Control of File Name or Path

paddlepaddle is a Parallel Distributed Deep Learning

Affected versions of this package are vulnerable to External Control of File Name or Path due to improper handling of external input through paddle.vision.ops.read_file. An attacker can achieve data exfiltration or cause a partial impact on data integrity by injecting malicious input.

How to fix External Control of File Name or Path?

There is no fixed version for paddlepaddle.

[0,)
  • C
Path Traversal

paddlepaddle is a Parallel Distributed Deep Learning

Affected versions of this package are vulnerable to Path Traversal due to improper limitation of a pathname to a restricted directory. An attacker can overwrite arbitrary files by submitting a crafted input containing "../" sequences to traverse directories.

Notes:

  1. On servers that have SSH enabled, an attacker may be able to inject their own public RSA key into the authorized_keys file, leading to remote code execution.

  2. On servers hosting web servers, various vulnerabilities can be exploited. On PHP or JSP server, remote code execution may be possible via uploading a webshell. On other servers an HTML file can be uploaded to achieve Cross-site Scripting (XSS)

  3. Being able to overwrite files can also lead to impact in terms of availability. Overwriting configuration files, source code, and such may cause the server to not function properly anymore.

How to fix Path Traversal?

Upgrade paddlepaddle to version 2.6.1 or higher.

[,2.6.1)
  • C
Command Injection

paddlepaddle is a Parallel Distributed Deep Learning

Affected versions of this package are vulnerable to Command Injection due to improper validation of user-supplied input in the IrGraph.draw method. An attacker can execute arbitrary commands on the system by injecting malicious commands into the method's input parameters.

How to fix Command Injection?

Upgrade paddlepaddle to version 2.6.1 or higher.

[,2.6.1)
  • C
OS Command Injection

paddlepaddle is a Parallel Distributed Deep Learning

Affected versions of this package are vulnerable to OS Command Injection due to improper input validation in the paddle.utils.download._wget_download function. An attacker can execute arbitrary commands by crafting malicious input that bypasses the filter.

Note: Depending on the context in which this code is used, this could lead to unauthorized access, data loss, or other potentially harmful consequences.

How to fix OS Command Injection?

Upgrade paddlepaddle to version 2.6.1 or higher.

[,2.6.1)
  • C
Code Injection

paddlepaddle is a Parallel Distributed Deep Learning

Affected versions of this package are vulnerable to Code Injection due to improper validation of user-supplied input. An attacker can execute arbitrary code on the system by sending a crafted request.

How to fix Code Injection?

Upgrade paddlepaddle to version 2.6.1 or higher.

[,2.6.1)
  • C
Improper Control of Generation of Code ('Code Injection')

paddlepaddle is a Parallel Distributed Deep Learning

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via the _wget_download function, due to the url parameter being incorporated into the command string without proper validation or sanitization. An attacker can execute arbitrary code by injecting malicious input into the code generation routine.

How to fix Improper Control of Generation of Code ('Code Injection')?

Upgrade paddlepaddle to version 2.6.0 or higher.

[,2.6.0)
  • M
Divide By Zero

paddlepaddle is a Parallel Distributed Deep Learning

Affected versions of this package are vulnerable to Divide By Zero via thepaddle.linalg.matrix_rank function, when x dim calculates rows or cols to 0. An attacker can cause a runtime crash.

How to fix Divide By Zero?

Upgrade paddlepaddle to version 2.6.0 or higher.

[,2.6.0)
  • C
OS Command Injection

paddlepaddle is a Parallel Distributed Deep Learning

Affected versions of this package are vulnerable to OS Command Injection via the convert_shape_compare function. An attacker can execute arbitrary commands on the operating system by supplying malicious input.

How to fix OS Command Injection?

Upgrade paddlepaddle to version 2.6.0 or higher.

[,2.6.0)
  • C
OS Command Injection

paddlepaddle is a Parallel Distributed Deep Learning

Affected versions of this package are vulnerable to OS Command Injection via the _wget_download function. An attacker can execute arbitrary commands on the operating system by injecting malicious input into the function.

How to fix OS Command Injection?

Upgrade paddlepaddle to version 2.6.0 or higher.

[,2.6.0)
  • H
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

paddlepaddle is a Parallel Distributed Deep Learning

Affected versions of this package are vulnerable to Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') via the paddle.linalg.lu_unpack function. An attacker can cause a denial of service or potentially execute arbitrary code by providing specially crafted input to trigger this vulnerability.

How to fix Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')?

Upgrade paddlepaddle to version 2.6.0 or higher.

[,2.6.0)
  • C
OS Command Injection

paddlepaddle is a Parallel Distributed Deep Learning

Affected versions of this package are vulnerable to OS Command Injection via the get_online_pass_interval function. An attacker can execute arbitrary commands on the operating system by supplying malicious input.

How to fix OS Command Injection?

Upgrade paddlepaddle to version 2.6.0 or higher.

[,2.6.0)
Go back to all versions of this package