CVE-2023-2800 (Medium) detected in transformers-2.3.0.tar.gz
Opened this issue · 0 comments
CVE-2023-2800 - Medium Severity Vulnerability
Vulnerable Library - transformers-2.3.0.tar.gz
State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Library home page: https://files.pythonhosted.org/packages/fb/53/b4867d15b0023d43cce2c4f6e7f8b67487b99b43599127868a95da0e1f47/transformers-2.3.0.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/old/requirements.txt
Dependency Hierarchy:
- ❌ transformers-2.3.0.tar.gz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.
Publish Date: 2023-05-18
URL: CVE-2023-2800
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a/
Release Date: 2023-05-18
Fix Resolution: 4.30.1
Step up your Open Source Security Game with Mend here