MidnightBSD

Advisories for paddlepaddle

CVE-2022-31523 MEDIUM

The PaddlePaddle/Anakin repository through 0.1.1 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.3 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L 3.9 4.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
paddlepaddle anakin *
CVE-2022-45908

In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vulnerable to code injection because it calls eval on a user-supplied winstr. This may lead to arbitrary code execution.

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2022-46741

Out-of-bounds read in gather_tree in PaddlePaddle before 2.4. 

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2022-46742

Code injection in paddle.audio.functional.get_window in PaddlePaddle 2.4.0-rc0 allows arbitrary code execution.

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle 2.4.0
CVE-2023-38669

Use after free in paddle.diagonal in PaddlePaddle before 2.5.0. This resulted in a potentially exploitable condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
paddle-security@baidu.com 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-38670

Null pointer dereference in paddle.flip in PaddlePaddle before 2.5.0. This resulted in a runtime crash and denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
paddle-security@baidu.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-38671

Heap buffer overflow in paddle.trace in PaddlePaddle before 2.5.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
paddle-security@baidu.com 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-38672

FPE in paddle.trace in PaddlePaddle before 2.5.0. This flaw can cause a runtime crash and a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
paddle-security@baidu.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-38673

PaddlePaddle before 2.5.0 has a command injection in fs.py. This resulted in the ability to execute arbitrary commands on the operating system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
paddle-security@baidu.com 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-38674

FPE in paddle.nanmedian in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
paddle-security@baidu.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L 2.8 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-38675

FPE in paddle.linalg.matrix_rank in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
paddle-security@baidu.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L 2.8 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-38676

Nullptr in paddle.dot in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
paddle-security@baidu.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-38677

FPE in paddle.linalg.eig in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
paddle-security@baidu.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-38678

OOB access in paddle.mode in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
paddle-security@baidu.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-52302

Nullptr in paddle.nextafter in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
paddle-security@baidu.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-52303

Nullptr in paddle.put_along_axis in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
paddle-security@baidu.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L 2.8 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-52304

Stack overflow in paddle.searchsorted in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
paddle-security@baidu.com 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L 2.8 4.7

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-52305

FPE in paddle.topk in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
paddle-security@baidu.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L 2.8 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-52306

FPE in paddle.lerp in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
paddle-security@baidu.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L 2.8 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-52307

Stack overflow in paddle.linalg.lu_unpack in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
paddle-security@baidu.com 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L 2.8 4.7

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-52308

FPE in paddle.amin in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
paddle-security@baidu.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L 2.8 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-52309

Heap buffer overflow in paddle.repeat_interleave in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
paddle-security@baidu.com 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L 2.8 4.7
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-52310

PaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval. This resulted in the ability to execute arbitrary commands on the operating system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
paddle-security@baidu.com 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-52311

PaddlePaddle before 2.6.0 has a command injection in _wget_download. This resulted in the ability to execute arbitrary commands on the operating system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
paddle-security@baidu.com 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-52312

Nullptr dereference in paddle.crop in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
paddle-security@baidu.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-52313

FPE in paddle.argmin and paddle.argmax in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
paddle-security@baidu.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L 2.8 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2023-52314

PaddlePaddle before 2.6.0 has a command injection in convert_shape_compare. This resulted in the ability to execute arbitrary commands on the operating system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
paddle-security@baidu.com 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2024-0521

Code Injection in paddlepaddle/paddle

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
paddlepaddle paddle *
CVE-2024-0815

Command injection in paddle.utils.download._wget_download (bypass filter) in paddlepaddle/paddle 2.6.0

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle 2.6.0
CVE-2024-0817

Command injection in IrGraph.draw in paddlepaddle/paddle 2.6.0

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle 2.6.0
CVE-2024-0818

Arbitrary File Overwrite Via Path Traversal in paddlepaddle/paddle before 2.6

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle *
CVE-2024-0917

remote code execution in paddlepaddle/paddle 2.6.0

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle 2.6.0
CVE-2024-1603

paddlepaddle/paddle 2.6.0 allows arbitrary file read via paddle.vision.ops.read_file.

Products Affected

Vendor Product Version
paddlepaddle paddlepaddle 2.6.0