Vulnerability Database
Blog
FAQ
Docs
GHSA-jwrc-3v3f-5cq5
Suggest an improvement
Source
https://github.com/advisories/GHSA-jwrc-3v3f-5cq5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-jwrc-3v3f-5cq5/GHSA-jwrc-3v3f-5cq5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jwrc-3v3f-5cq5
Aliases
CVE-2024-1603
Published
2024-03-23T21:30:39Z
Modified
2024-03-25T20:26:55.882301Z
Severity
8.2 (High)
CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CVSS Calculator
Summary
PaddlePaddle allows arbitrary file read via paddle.vision.ops.read_file
Details
paddlepaddle/paddle 2.6.0 allows arbitrary file read via paddle.vision.ops.read_file.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-1603
https://github.com/PaddlePaddle/Paddle
https://github.com/PaddlePaddle/Paddle/blob/release/2.6/python/paddle/vision/ops.py#L1262
https://github.com/PaddlePaddle/Paddle/blob/release/2.6/python/paddle/vision/ops.py#L1295-L1334
https://huntr.com/bounties/7739eced-73a3-4a96-afcd-9c753c55929e
Affected packages
PyPI
/
paddlepaddle
Package
Name
paddlepaddle
View open source insights on deps.dev
Purl
pkg:pypi/paddlepaddle
Affected ranges
Type
ECOSYSTEM
Events
Introduced
0
Unknown introduced version / All previous versions are affected
Last affected
2.6.0
Affected versions
1.*
1.8.5
2.*
2.1.0
2.1.1
2.1.2
2.1.3
2.2.0rc0
2.2.0
2.2.1
2.2.2
2.3.0rc0
2.3.0
2.3.1
2.3.2
2.4.0rc0
2.4.0
2.4.1
2.4.2
2.5.0rc0
2.5.0rc1
2.5.0
2.5.1
2.5.2
2.6.0
GHSA-jwrc-3v3f-5cq5 - OSV