The PaddlePaddle/Anakin repository through 0.1.1 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.3 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L | 3.9 | 4.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | anakin | * |
In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vulnerable to code injection because it calls eval on a user-supplied winstr. This may lead to arbitrary code execution.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
Out-of-bounds read in gather_tree in PaddlePaddle before 2.4.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
Code injection in paddle.audio.functional.get_window in PaddlePaddle 2.4.0-rc0 allows arbitrary code execution.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | 2.4.0 |
Use after free in paddle.diagonal in PaddlePaddle before 2.5.0. This resulted in a potentially exploitable condition.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| paddle-security@baidu.com | 8.3 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H | 1.6 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
Null pointer dereference in paddle.flip in PaddlePaddle before 2.5.0. This resulted in a runtime crash and denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| paddle-security@baidu.com | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N | 2.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
Heap buffer overflow in paddle.trace in PaddlePaddle before 2.5.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| paddle-security@baidu.com | 8.3 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H | 1.6 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
FPE in paddle.trace in PaddlePaddle before 2.5.0. This flaw can cause a runtime crash and a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| paddle-security@baidu.com | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L | 2.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
PaddlePaddle before 2.5.0 has a command injection in fs.py. This resulted in the ability to execute arbitrary commands on the operating system.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| paddle-security@baidu.com | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H | 2.8 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
FPE in paddle.nanmedian in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| paddle-security@baidu.com | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L | 2.8 | 1.4 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
FPE in paddle.linalg.matrix_rank in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| paddle-security@baidu.com | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L | 2.8 | 1.4 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
Nullptr in paddle.dot in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
| paddle-security@baidu.com | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L | 2.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
FPE in paddle.linalg.eig in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
| paddle-security@baidu.com | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L | 2.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
OOB access in paddle.mode in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
| paddle-security@baidu.com | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L | 2.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
Nullptr in paddle.nextafter in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
| paddle-security@baidu.com | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L | 2.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
Nullptr in paddle.put_along_axis in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| paddle-security@baidu.com | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L | 2.8 | 1.4 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
Stack overflow in paddle.searchsorted in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| paddle-security@baidu.com | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L | 2.8 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
FPE in paddle.topk in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| paddle-security@baidu.com | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L | 2.8 | 1.4 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
FPE in paddle.lerp in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| paddle-security@baidu.com | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L | 2.8 | 1.4 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
Stack overflow in paddle.linalg.lu_unpack in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| paddle-security@baidu.com | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L | 2.8 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
FPE in paddle.amin in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| paddle-security@baidu.com | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L | 2.8 | 1.4 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
Heap buffer overflow in paddle.repeat_interleave in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| paddle-security@baidu.com | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L | 2.8 | 4.7 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
PaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval. This resulted in the ability to execute arbitrary commands on the operating system.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| paddle-security@baidu.com | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H | 2.8 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
PaddlePaddle before 2.6.0 has a command injection in _wget_download. This resulted in the ability to execute arbitrary commands on the operating system.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| paddle-security@baidu.com | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H | 2.8 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
Nullptr dereference in paddle.crop in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
| paddle-security@baidu.com | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L | 2.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
FPE in paddle.argmin and paddle.argmax in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| paddle-security@baidu.com | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L | 2.8 | 1.4 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
PaddlePaddle before 2.6.0 has a command injection in convert_shape_compare. This resulted in the ability to execute arbitrary commands on the operating system.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| paddle-security@baidu.com | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H | 2.8 | 6.0 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
Code Injection in paddlepaddle/paddle
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddle | * |
Command injection in paddle.utils.download._wget_download (bypass filter) in paddlepaddle/paddle 2.6.0
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | 2.6.0 |
Command injection in IrGraph.draw in paddlepaddle/paddle 2.6.0
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | 2.6.0 |
Arbitrary File Overwrite Via Path Traversal in paddlepaddle/paddle before 2.6
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | * |
remote code execution in paddlepaddle/paddle 2.6.0
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | 2.6.0 |
paddlepaddle/paddle 2.6.0 allows arbitrary file read via paddle.vision.ops.read_file.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| paddlepaddle | paddlepaddle | 2.6.0 |