Vulnerability-Lookup

CVE-2023-7018 (GCVE-0-2023-7018)

Vulnerability from cvelistv5 – Published: 2023-12-20 16:13 – Updated: 2024-08-02 08:50

Title

Deserialization of Untrusted Data in huggingface/transformers

Summary

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Severity ?

9.6 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

@huntr_ai

References

URL

	Vendor	Product	Version
	huggingface	huggingface/transformers	Affected: unspecified , < 4.36 (custom)

GSD-2023-7018

Vulnerability from gsd - Updated: 2023-12-21 06:01

Details

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Aliases

CVE-2023-7018

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-7018"
      ],
      "details": "Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.",
      "id": "GSD-2023-7018",
      "modified": "2023-12-21T06:01:24.596605Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@huntr.com",
        "ID": "CVE-2023-7018",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "huggingface/transformers",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "unspecified",
                          "version_value": "4.36"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "huggingface"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.0"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-502",
                "lang": "eng",
                "value": "CWE-502 Deserialization of Untrusted Data"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c",
            "refsource": "MISC",
            "url": "https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c"
          },
          {
            "name": "https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce",
            "refsource": "MISC",
            "url": "https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce"
          }
        ]
      },
      "source": {
        "advisory": "e1a3e548-e53a-48df-b708-9ee62140963c",
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:huggingface:transformers:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "A7A810D1-9219-4534-83E2-F3FC5402E521",
                    "versionEndExcluding": "4.36.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36."
          },
          {
            "lang": "es",
            "value": "Deserializaci\u00f3n de datos que no son de confianza en el repositorio de GitHub huggingface/transformers anteriores a 4.36."
          }
        ],
        "id": "CVE-2023-7018",
        "lastModified": "2023-12-30T03:13:12.367",
        "metrics": {
          "cvssMetricV30": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 6.0,
              "source": "security@huntr.dev",
              "type": "Secondary"
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.8,
              "impactScore": 5.9,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2023-12-20T17:15:08.823",
        "references": [
          {
            "source": "security@huntr.dev",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce"
          },
          {
            "source": "security@huntr.dev",
            "tags": [
              "Exploit",
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c"
          }
        ],
        "sourceIdentifier": "security@huntr.dev",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-502"
              }
            ],
            "source": "security@huntr.dev",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

GHSA-V68G-WM8C-6X7J

Vulnerability from github – Published: 2023-12-20 18:30 – Updated: 2024-11-22 20:45

Summary

transformers has a Deserialization of Untrusted Data vulnerability

Details

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Severity ?

7.8 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "transformers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.36.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-7018"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-20T20:29:40Z",
    "nvd_published_at": "2023-12-20T17:15:08Z",
    "severity": "HIGH"
  },
  "details": "Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.",
  "id": "GHSA-v68g-wm8c-6x7j",
  "modified": "2024-11-22T20:45:13Z",
  "published": "2023-12-20T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7018"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/huggingface/transformers"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-301.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "transformers has a Deserialization of Untrusted Data vulnerability"
}

FKIE_CVE-2023-7018

Vulnerability from fkie_nvd - Published: 2023-12-20 17:15 - Updated: 2024-11-21 08:45

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

References

URL	Tags
security@huntr.dev	https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce	Patch
security@huntr.dev	https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c	Exploit, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce	Patch
af854a3a-2127-422b-91ae-364da2661108	https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c	Exploit, Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	huggingface	transformers	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:huggingface:transformers:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A7A810D1-9219-4534-83E2-F3FC5402E521",
              "versionEndExcluding": "4.36.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36."
    },
    {
      "lang": "es",
      "value": "Deserializaci\u00f3n de datos que no son de confianza en el repositorio de GitHub huggingface/transformers anteriores a 4.36."
    }
  ],
  "id": "CVE-2023-7018",
  "lastModified": "2024-11-21T08:45:03.013",
  "metrics": {
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.6,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 6.0,
        "source": "security@huntr.dev",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-12-20T17:15:08.823",
  "references": [
    {
      "source": "security@huntr.dev",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c"
    }
  ],
  "sourceIdentifier": "security@huntr.dev",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security@huntr.dev",
      "type": "Secondary"
    }
  ]
}

CERTFR-2024-AVI-0670

Vulnerability from certfr_avis - Published: 2024-08-13 - Updated: 2024-08-13

De multiples vulnérabilités ont été découvertes dans Splunk Machine Learning Toolkit. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Splunk	Machine Learning Toolkit	Machine Learning Toolkit versions antérieures à 5.4.2 avec un version de Python for Scientific Computing antérieures à 4.2.1

References

Title

Publication Time

PYSEC-2023-301

Vulnerability from pysec - Published: 2023-12-20 17:15 - Updated: 2024-11-21 14:23

Details

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Severity ?

7.8 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Impacted products

Name	purl
transformers	pkg:pypi/transformers

Aliases

CVE-2023-7018

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "transformers",
        "purl": "pkg:pypi/transformers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1d63b0ec361e7a38f1339385e8a5a855085532ce"
            }
          ],
          "repo": "https://github.com/huggingface/transformers",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.36.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1",
        "2.0.0",
        "2.1.0",
        "2.1.1",
        "2.10.0",
        "2.11.0",
        "2.2.0",
        "2.2.1",
        "2.2.2",
        "2.3.0",
        "2.4.0",
        "2.4.1",
        "2.5.0",
        "2.5.1",
        "2.6.0",
        "2.7.0",
        "2.8.0",
        "2.9.0",
        "2.9.1",
        "3.0.0",
        "3.0.1",
        "3.0.2",
        "3.1.0",
        "3.2.0",
        "3.3.0",
        "3.3.1",
        "3.4.0",
        "3.5.0",
        "3.5.1",
        "4.0.0",
        "4.0.0rc1",
        "4.0.1",
        "4.1.0",
        "4.1.1",
        "4.10.0",
        "4.10.1",
        "4.10.2",
        "4.10.3",
        "4.11.0",
        "4.11.1",
        "4.11.2",
        "4.11.3",
        "4.12.0",
        "4.12.1",
        "4.12.2",
        "4.12.3",
        "4.12.4",
        "4.12.5",
        "4.13.0",
        "4.14.0",
        "4.14.1",
        "4.15.0",
        "4.16.0",
        "4.16.1",
        "4.16.2",
        "4.17.0",
        "4.18.0",
        "4.19.0",
        "4.19.1",
        "4.19.2",
        "4.19.3",
        "4.19.4",
        "4.2.0",
        "4.2.1",
        "4.2.2",
        "4.20.0",
        "4.20.1",
        "4.21.0",
        "4.21.1",
        "4.21.2",
        "4.21.3",
        "4.22.0",
        "4.22.1",
        "4.22.2",
        "4.23.0",
        "4.23.1",
        "4.24.0",
        "4.25.0",
        "4.25.1",
        "4.26.0",
        "4.26.1",
        "4.27.0",
        "4.27.1",
        "4.27.2",
        "4.27.3",
        "4.27.4",
        "4.28.0",
        "4.28.1",
        "4.29.0",
        "4.29.1",
        "4.29.2",
        "4.3.0",
        "4.3.0rc1",
        "4.3.1",
        "4.3.2",
        "4.3.3",
        "4.30.0",
        "4.30.1",
        "4.30.2",
        "4.31.0",
        "4.32.0",
        "4.32.1",
        "4.33.0",
        "4.33.1",
        "4.33.2",
        "4.33.3",
        "4.34.0",
        "4.34.1",
        "4.35.0",
        "4.35.1",
        "4.35.2",
        "4.4.0",
        "4.4.1",
        "4.4.2",
        "4.5.0",
        "4.5.1",
        "4.6.0",
        "4.6.1",
        "4.7.0",
        "4.8.0",
        "4.8.1",
        "4.8.2",
        "4.9.0",
        "4.9.1",
        "4.9.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-7018"
  ],
  "details": "Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.",
  "id": "PYSEC-2023-301",
  "modified": "2024-11-21T14:23:01.933055+00:00",
  "published": "2023-12-20T17:15:00+00:00",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c"
    },
    {
      "type": "FIX",
      "url": "https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c"
    },
    {
      "type": "FIX",
      "url": "https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-7018 (GCVE-0-2023-7018)

GSD-2023-7018

GHSA-V68G-WM8C-6X7J

FKIE_CVE-2023-7018

CERTFR-2024-AVI-0670

Solutions

PYSEC-2023-301

Tags

Sightings

Nomenclature