SB2024081330 - Splunk Python for Scientific Computing update for third-party packages
Published: August 13, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 28 secuirty vulnerabilities.
1) Heap-based buffer overflow (CVE-ID: CVE-2024-31580)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in component /runtime/vararg_functions.cpp. A local user can pass specially crafted data to the application, trigger a heap-based buffer overflow and perform a denial of service (DoS) attack.
2) Buffer overflow (CVE-ID: CVE-2020-28975)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing SVM models within the svm_predict_values in svm.cpp. A remote attacker can pass a specially crafted model to the application, trigger memory corruption and perform a denial of service (DoS) attack.
3) Cleartext storage of sensitive information (CVE-ID: CVE-2024-5206)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to an error in TfidfVectorizer, which includes sensitive information such as tokens into the training data set. A local user can run the application with the default arguments except that we limit the vocabulary size and gain access to sensitive information.
4) Incorrect Regular Expression (CVE-ID: CVE-2022-40897)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing HTML content. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
5) Code Injection (CVE-ID: CVE-2024-6345)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when processing URL in the package_index module of pypa/setuptools. A remote attacker can send a specially crafted request and execute arbitrary code on the target system via download functions.
6) Improper Neutralization of Argument Delimiters in a Command (CVE-ID: CVE-2024-34062)
The vulnerability allows a local user to compromsie the target system.
The vulnerability exists due to an argument injection issue. A local user can execute arbitrary code on the target system.
7) Insecure Temporary File (CVE-ID: CVE-2023-2800)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.
8) Deserialization of Untrusted Data (CVE-ID: CVE-2024-3568)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation within the load_repo_checkpoint() function of the TFPreTrainedModel() class. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
9) Deserialization of Untrusted Data (CVE-ID: CVE-2023-6730)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when fetching RagRetriever models. A remote attacker can pass a specially crafted config file to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
10) Deserialization of Untrusted Data (CVE-ID: CVE-2023-7018)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation in TransfoXLTokenizer when loading vocab.pkl file. A remote attacker can pass specially a crafted file to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Resource management error (CVE-ID: CVE-2023-5678)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within DH_generate_key() and DH_check_pub_key() functions. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
12) Insufficient verification of data authenticity (CVE-ID: CVE-2023-37920)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exist due to software recognizes "e-Tugra" root certificates, which were subject to an investigation prompted by reporting of security issues in their systems. An attacker with ability to generate certificates signed with the compromised "e-Tugra" root certificate can perform MitM attack.
13) Security features bypass (CVE-ID: CVE-2024-35195)
The vulnerability allows a local user to compromise the target system.
The vulnerability exists due to the session object does not verify requests after making first request with verify=False. A local administrator can bypass authentication.
14) Use-after-free (CVE-ID: CVE-2024-31583)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in torch/csrc/jit/mobile/interpreter.cpp. A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
15) Resource exhaustion (CVE-ID: CVE-2024-3651)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the idna.encode() function. A remote attacker can pass an overly long domain name to the application and perform a denial of service (DoS) attack.
16) Code Injection (CVE-ID: CVE-2022-45907)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the torch.jit.annotations.parse_type_line() function. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
17) Information disclosure (CVE-ID: CVE-2023-43804)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to urllib does not strip the "Cookie" HTTP header during cross-origin HTTP redirects. A remote attacker can gain unauthorized access to sensitive information.
18) Information disclosure (CVE-ID: CVE-2023-45803)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to urllib3 does not remove the HTTP request body when redirecting HTTP response using status codes 301, 302, or 303, after the request had its method changed from one that could accept a request body (e.g. from POST to GET). A remote attacker can gain access to potentially sensitive information.
19) Information disclosure (CVE-ID: CVE-2024-37891)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to Prox-Authorization header is not stripped during cross-origin redirects when using urllib3's proxy support with ProxyManager. A remote attacker can gain obtain proxy credentials used by the library.
20) Incorrect Comparison (CVE-ID: CVE-2021-34141)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incomplete string comparison in the numpy.core component in NumPy. A remote attacker can pass specific string objects to the library and perform a denial of service (DoS) attack.
21) Out-of-bounds read (CVE-ID: CVE-2024-27319)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition caused by an off-by-one error in the ONNX_ASSERT and ONNX_ASSERTM functions. A remote attacker can send specially crafted request to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.
22) Path traversal (CVE-ID: CVE-2024-27318)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences passed via the external_data field of the tensor proto. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Note, the vulnerability exists due to incomplete fix for #VU75176 (CVE-2022-25882).
23) Path traversal (CVE-ID: CVE-2022-25882)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Request example:
http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa
24) Incorrect Regular Expression (CVE-ID: CVE-2024-3772)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted email string to the application and perform regular expression denial of service (ReDos) attack.
25) Memory leak (CVE-ID: CVE-2023-25399)
The vulnerability allows a local user to perform DoS attack on the target system.
The vulnerability exists due memory leak within the Py_FindObjects() function. A local user can force the application to leak memory and perform denial of service attack.
26) Incorrect Regular Expression (CVE-ID: CVE-2022-40899)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when processing the Set-Cookie header. A remote attacker can send a specially crafted HTTP request to the application and perform a regular expression denial of service (ReDoS) attack.
27) Security features bypass (CVE-ID: CVE-2022-31799)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to mishandling errors during early request binding. A remote attacker can exploit this vulnerability to launch further attacks on the system.
28) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2020-28473)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to the usage of a vector called parameter cloaking. A remote attacker can trick the victim into opening a specially crafted HTTP request, smuggle arbitrary HTTP headers and cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server.
Remediation
Install update from vendor's website.