GSA_kwCzR0hTQS05cTl2LXFnd3gtODRtcs4AA05R

Critical EPSS: 0.00342% (0.55852 Percentile) EPSS:

Permalink JSON

Command injection in PaddlePaddle

Affected Packages	Affected Versions	Fixed Versions
pypi:paddlepaddle	>= 0, < 2.5.0	2.5.0
58 Dependent packages 2,208 Dependent repositories 545,565 Downloads last month Affected Version Ranges All affected versions 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2 All unaffected versions 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 3.0.0, 3.1.0

PaddlePaddle before 2.5.0 has a command injection in fs.py. This resulted in the ability to execute arbitrary commands on the operating system.

References:

Identifiers

GHSA-9q9v-qgwx-84mr

CVE-2023-38673

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00342

EPSS Percentile: 0.55852

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/PaddlePaddle/Paddle

Date and time

Published

about 2 years ago

Updated

over 1 year ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories