CVE-2023-7018 (High) detected in transformers-2.3.0.tar.gz
Opened this issue · 0 comments
mend-bolt-for-github commented
CVE-2023-7018 - High Severity Vulnerability
Vulnerable Library - transformers-2.3.0.tar.gz
State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Library home page: https://files.pythonhosted.org/packages/fb/53/b4867d15b0023d43cce2c4f6e7f8b67487b99b43599127868a95da0e1f47/transformers-2.3.0.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/old/requirements.txt
Dependency Hierarchy:
- ❌ transformers-2.3.0.tar.gz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
Publish Date: 2023-12-20
URL: CVE-2023-7018
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-7018
Release Date: 2023-12-20
Fix Resolution: 4.36.0
Step up your Open Source Security Game with Mend here