Homepage
About Snyk

paddlepaddle@2.6.0 vulnerabilities

Parallel Distributed Deep Learning

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the paddlepaddle package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
External Control of File Name or Path

paddlepaddle is a Parallel Distributed Deep Learning

Affected versions of this package are vulnerable to External Control of File Name or Path due to improper handling of external input through paddle.vision.ops.read_file. An attacker can achieve data exfiltration or cause a partial impact on data integrity by injecting malicious input.

How to fix External Control of File Name or Path?

There is no fixed version for paddlepaddle.

[0,)
  • C
Path Traversal

paddlepaddle is a Parallel Distributed Deep Learning

Affected versions of this package are vulnerable to Path Traversal due to improper limitation of a pathname to a restricted directory. An attacker can overwrite arbitrary files by submitting a crafted input containing "../" sequences to traverse directories.

Notes:

  1. On servers that have SSH enabled, an attacker may be able to inject their own public RSA key into the authorized_keys file, leading to remote code execution.

  2. On servers hosting web servers, various vulnerabilities can be exploited. On PHP or JSP server, remote code execution may be possible via uploading a webshell. On other servers an HTML file can be uploaded to achieve Cross-site Scripting (XSS)

  3. Being able to overwrite files can also lead to impact in terms of availability. Overwriting configuration files, source code, and such may cause the server to not function properly anymore.

How to fix Path Traversal?

Upgrade paddlepaddle to version 2.6.1 or higher.

[,2.6.1)
  • C
Command Injection

paddlepaddle is a Parallel Distributed Deep Learning

Affected versions of this package are vulnerable to Command Injection due to improper validation of user-supplied input in the IrGraph.draw method. An attacker can execute arbitrary commands on the system by injecting malicious commands into the method's input parameters.

How to fix Command Injection?

Upgrade paddlepaddle to version 2.6.1 or higher.

[,2.6.1)
  • C
OS Command Injection

paddlepaddle is a Parallel Distributed Deep Learning

Affected versions of this package are vulnerable to OS Command Injection due to improper input validation in the paddle.utils.download._wget_download function. An attacker can execute arbitrary commands by crafting malicious input that bypasses the filter.

Note: Depending on the context in which this code is used, this could lead to unauthorized access, data loss, or other potentially harmful consequences.

How to fix OS Command Injection?

Upgrade paddlepaddle to version 2.6.1 or higher.

[,2.6.1)
  • C
Code Injection

paddlepaddle is a Parallel Distributed Deep Learning

Affected versions of this package are vulnerable to Code Injection due to improper validation of user-supplied input. An attacker can execute arbitrary code on the system by sending a crafted request.

How to fix Code Injection?

Upgrade paddlepaddle to version 2.6.1 or higher.

[,2.6.1)
Go back to all versions of this package