tlkh/mini-dlperf

CVE-2023-2800 (Medium) detected in transformers-2.3.0.tar.gz

Opened this issue · 0 comments

mend-bolt-for-github commented

CVE-2023-2800 - Medium Severity Vulnerability

Vulnerable Library - transformers-2.3.0.tar.gz

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/fb/53/b4867d15b0023d43cce2c4f6e7f8b67487b99b43599127868a95da0e1f47/transformers-2.3.0.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/old/requirements.txt

Dependency Hierarchy:

  • transformers-2.3.0.tar.gz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.

Publish Date: 2023-05-18

URL: CVE-2023-2800

CVSS 3 Score Details (4.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a/

Release Date: 2023-05-18

Fix Resolution: 4.30.1

Step up your Open Source Security Game with Mend here