tlkh/mini-dlperf

CVE-2023-7018 (High) detected in transformers-2.3.0.tar.gz

Opened this issue · 0 comments

mend-bolt-for-github commented

CVE-2023-7018 - High Severity Vulnerability

Vulnerable Library - transformers-2.3.0.tar.gz

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/fb/53/b4867d15b0023d43cce2c4f6e7f8b67487b99b43599127868a95da0e1f47/transformers-2.3.0.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/old/requirements.txt

Dependency Hierarchy:

  • transformers-2.3.0.tar.gz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Publish Date: 2023-12-20

URL: CVE-2023-7018

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-7018

Release Date: 2023-12-20

Fix Resolution: 4.36.0

Step up your Open Source Security Game with Mend here