diff --git a/src/main/java/com/redhat/ecosystemappeng/model/OsvVulnerability.java b/src/main/java/com/redhat/ecosystemappeng/model/OsvVulnerability.java index ef02649..0fc3ea6 100644 --- a/src/main/java/com/redhat/ecosystemappeng/model/OsvVulnerability.java +++ b/src/main/java/com/redhat/ecosystemappeng/model/OsvVulnerability.java @@ -1,7 +1,26 @@ package com.redhat.ecosystemappeng.model; +import static com.redhat.ecosystemappeng.service.nvd.NvdFileService.CVE_PATTERN; + +import java.util.ArrayList; +import java.util.Collections; import java.util.List; public record OsvVulnerability(String id, List aliases) { - + + public OsvVulnerability { + if (!CVE_PATTERN.matcher(id).matches() && aliases != null && !aliases.isEmpty()) { + List newAliases = new ArrayList<>(); + newAliases.add(id); + for (String alias : aliases) { + if (CVE_PATTERN.matcher(alias).matches()) { + id = alias; + } else { + newAliases.add(alias); + } + } + aliases = Collections.unmodifiableList(newAliases); + } + } + } diff --git a/src/main/java/com/redhat/ecosystemappeng/rest/VulnerabilityEndpoint.java b/src/main/java/com/redhat/ecosystemappeng/rest/VulnerabilityEndpoint.java index 5e4c618..c46eebf 100644 --- a/src/main/java/com/redhat/ecosystemappeng/rest/VulnerabilityEndpoint.java +++ b/src/main/java/com/redhat/ecosystemappeng/rest/VulnerabilityEndpoint.java @@ -16,17 +16,17 @@ public class VulnerabilityEndpoint { @Inject - VulnerabilityService cveService; + VulnerabilityService svc; @POST public List find(List vulnerabilities, @QueryParam("reload") boolean reload) { - return cveService.findByAlias(vulnerabilities, reload); + return svc.findByAlias(vulnerabilities, reload); } @GET @Path("/{alias}") public Vulnerability get(@PathParam("alias") String alias, @QueryParam("reload") boolean reload) { - return cveService.getByAlias(alias, reload); + return svc.getByAlias(alias, reload); } diff --git a/src/main/java/com/redhat/ecosystemappeng/service/VulnerabilityRepository.java b/src/main/java/com/redhat/ecosystemappeng/service/VulnerabilityRepository.java index 61fb6b0..ad60567 100644 --- a/src/main/java/com/redhat/ecosystemappeng/service/VulnerabilityRepository.java +++ b/src/main/java/com/redhat/ecosystemappeng/service/VulnerabilityRepository.java @@ -5,6 +5,7 @@ import java.util.Collections; import java.util.List; import java.util.concurrent.CompletionException; +import java.util.stream.Collectors; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -40,7 +41,7 @@ public VulnerabilityRepository(RedisDataSource ds) { this.searchCommands = ds.search(); try { // Requires creating an index - // FT.CREATE idx:aliases ON JSON SCHEMA $.aliases as vulnId TAG + // FT.CREATE idx:aliases ON JSON SCHEMA $.aliases as aliases TAG if (this.searchCommands.ft_list().stream().noneMatch(s -> s.equals(VULNID_INDEX))) { this.searchCommands.ftCreate(VULNID_INDEX, new CreateArgs() @@ -54,7 +55,7 @@ public VulnerabilityRepository(RedisDataSource ds) { public Vulnerability get(String cveId) { var vuln = jsonCommands.jsonGet(cveId, Vulnerability.class); - if(vuln == null) { + if (vuln == null) { return new Vulnerability.Builder().cveId(cveId).build(); } return vuln; @@ -107,11 +108,11 @@ public Vulnerability getByAlias(String alias) { public List listByAliases(List aliases) { var response = searchCommands.ftSearch(VULNID_INDEX, "@aliases:{" + String.join("|", aliases.toArray(new String[0])).replaceAll("\\-", "\\\\-") + "}", - new QueryArgs().limit(0, 1).withPayloads()); + new QueryArgs().verbatim().withPayloads()); if (response == null || response.documents().isEmpty()) { return aliases.stream().map(alias -> new Vulnerability.Builder().aliases(List.of(alias)).build()).toList(); } - return response.documents().stream().map(v -> { + var found = response.documents().stream().map(v -> { try { var val = mapper.readValue(v.property("$").asBytes(), Vulnerability.class); return val; @@ -120,8 +121,21 @@ public List listByAliases(List aliases) { LOGGER.error("Unable to deserialize Vulnerability {}", alias, e); return new Vulnerability.Builder().aliases(List.of(alias)).build(); } + }).collect(Collectors.toMap(val -> { + var alias = aliases.stream().filter(a -> val.aliases().contains(a)).findFirst(); + if (alias.isPresent()) { + return alias.get(); + } + throw new IllegalStateException("Unexpected item received: " + val.aliases()); + }, val -> val)); + + return aliases.stream().map(alias -> { + Vulnerability vuln = found.get(alias); + if (vuln == null) { + return new Vulnerability.Builder().aliases(List.of(alias)).build(); + } + return vuln; }).toList(); - } } diff --git a/src/main/java/com/redhat/ecosystemappeng/service/VulnerabilityServiceImpl.java b/src/main/java/com/redhat/ecosystemappeng/service/VulnerabilityServiceImpl.java index f0039c1..f27ea67 100644 --- a/src/main/java/com/redhat/ecosystemappeng/service/VulnerabilityServiceImpl.java +++ b/src/main/java/com/redhat/ecosystemappeng/service/VulnerabilityServiceImpl.java @@ -9,19 +9,21 @@ import java.util.concurrent.ExecutorService; import org.eclipse.microprofile.rest.client.inject.RestClient; +import org.jboss.resteasy.reactive.ClientWebApplicationException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.node.NullNode; +import com.redhat.ecosystemappeng.model.OsvVulnerability; import com.redhat.ecosystemappeng.model.Vulnerability; import com.redhat.ecosystemappeng.service.nvd.NvdService; import com.redhat.ecosystemappeng.service.osv.OsvApi; -import com.redhat.ecosystemappeng.service.osv.OsvLoader; import jakarta.enterprise.context.ApplicationScoped; import jakarta.inject.Inject; import jakarta.ws.rs.WebApplicationException; +import jakarta.ws.rs.core.Response; import jakarta.ws.rs.core.Response.Status; @ApplicationScoped @@ -32,9 +34,6 @@ public class VulnerabilityServiceImpl implements VulnerabilityService { @Inject VulnerabilityRepository repository; - @Inject - OsvLoader osvLoader; - @Inject NvdService nvdService; @@ -90,12 +89,21 @@ private Vulnerability load(Vulnerability vuln) { builder.created(vuln.created()).lastModified(new Date()); } if (vuln.aliases() != null && !vuln.aliases().isEmpty()) { - var alias = osvLoader.getCveByAlias(vuln.aliases().get(0)); + OsvVulnerability alias = null; + try { + alias = osvApi.getVuln(vuln.aliases().get(0)); + } catch (ClientWebApplicationException e) { + if(e.getResponse() != null && e.getResponse().getStatus() == Response.Status.NOT_FOUND.getStatusCode()) { + LOGGER.info("Not found vulnerability: {} in OSV", vuln.aliases().get(0)); + } else { + LOGGER.error("Error retrieving OSV vulnerability for {}", vuln.aliases().get(0), e); + } + } if (alias != null) { Set aliases = new HashSet<>(alias.aliases()); aliases.addAll(vuln.aliases()); - builder.cveId(alias.cveId()).aliases(new ArrayList<>(aliases)); - var existing = repository.get(alias.cveId()); + builder.cveId(alias.id()).aliases(new ArrayList<>(aliases)); + var existing = repository.get(alias.id()); // missing match between cve and vulnId if (existing.exists() && !NullNode.getInstance().equals(existing.nvdData())) { builder.nvdData(existing.nvdData()).created(existing.created()).lastModified(new Date()); @@ -118,9 +126,8 @@ private Vulnerability load(Vulnerability vuln) { LOGGER.error("Unable to parse NVD data for {}", vuln.cveId(), e); } } - } - if (builder.getCveId() == null) { - builder.cveId("missing_cve::" + builder.getAliases().toString()); + } else { + builder.cveId("missing_cve::" + builder.getAliases().get(0)); } var newVuln = builder.build(); repository.save(newVuln); diff --git a/src/main/java/com/redhat/ecosystemappeng/service/nvd/NvdFileService.java b/src/main/java/com/redhat/ecosystemappeng/service/nvd/NvdFileService.java index 889af5f..993a115 100644 --- a/src/main/java/com/redhat/ecosystemappeng/service/nvd/NvdFileService.java +++ b/src/main/java/com/redhat/ecosystemappeng/service/nvd/NvdFileService.java @@ -3,6 +3,7 @@ import java.io.IOException; import java.nio.file.Files; import java.nio.file.Path; +import java.util.regex.Pattern; import java.util.stream.Stream; import org.eclipse.microprofile.config.inject.ConfigProperty; @@ -15,7 +16,7 @@ public class NvdFileService implements NvdService { private static final Logger LOGGER = LoggerFactory.getLogger(NvdFileService.class); - private static final String CVE_PATTERN = "CVE-\\d{4}-\\d{4,7}"; + public static final Pattern CVE_PATTERN = Pattern.compile("CVE-\\d{4}-\\d{4,7}", Pattern.CASE_INSENSITIVE); @ConfigProperty(name = "migration.nvd.file.path") Path repositoryPath; @@ -25,7 +26,7 @@ public byte[] findByCve(String cve) { if(cve == null || cve.isEmpty()) { return null; } - if(!cve.matches(CVE_PATTERN)) { + if(!CVE_PATTERN.matcher(cve).matches()) { return null; } String year = cve.replace("CVE-", ""); diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 2f54b0f..f31fc4a 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -1,5 +1,5 @@ -quarkus.redis.hosts=redis://localhost/ +# quarkus.redis.hosts=redis://localhost/ # quarkus.log.level=DEBUG migration.nvd.file.path=/repo/cvelistV5/cves diff --git a/src/test/java/com/redhat/ecosystemappeng/service/VulnerabilityRepositoryTest.java b/src/test/java/com/redhat/ecosystemappeng/service/VulnerabilityRepositoryTest.java new file mode 100644 index 0000000..5d42f96 --- /dev/null +++ b/src/test/java/com/redhat/ecosystemappeng/service/VulnerabilityRepositoryTest.java @@ -0,0 +1,89 @@ +package com.redhat.ecosystemappeng.service; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertNull; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.util.List; + +import org.junit.jupiter.api.Test; + +import com.redhat.ecosystemappeng.model.Vulnerability; + +import io.quarkus.test.junit.QuarkusTest; +import jakarta.inject.Inject; + +@QuarkusTest +public class VulnerabilityRepositoryTest { + + @Inject + VulnerabilityRepository repository; + + @Test + void testGet_NotFound() { + var cveId = "not_found_cve"; + var vuln = repository.get(cveId); + assertNotNull(vuln); + assertEquals(cveId, vuln.cveId()); + assertNull(vuln.aliases()); + } + + @Test + void testGet_Found() { + var cveId = "CVE-2022-21721"; + var vuln = repository.get(cveId); + assertNotNull(vuln); + assertEquals(cveId, vuln.cveId()); + assertNotNull(vuln.aliases()); + assertNotNull(vuln.nvdData()); + } + + @Test + void testGetByAlias() { + var cveId = "CVE-2022-21721"; + var alias = "GHSA-23hm-7w47-xw72"; + var vuln = repository.getByAlias(alias); + assertNotNull(vuln); + assertEquals(cveId, vuln.cveId()); + assertNotNull(vuln.aliases()); + assertTrue(vuln.aliases().contains(alias)); + assertNotNull(vuln.nvdData()); + } + + @Test + void testList() { + var cves = List.of("CVE-2022-21721", "not_found", "CVE-2022-21722"); + var found = repository.list(cves); + assertEquals(cves.size(), found.size()); + for(int i = 0; i < cves.size(); i++) { + assertNotNull(found.get(i)); + assertEquals(cves.get(i), found.get(i).cveId()); + } + assertNotNull(found.get(0).nvdData()); + assertNotNull(found.get(2).nvdData()); + assertNull(found.get(1).nvdData()); + + assertNotNull(found.get(0).aliases()); + assertNotNull(found.get(2).aliases()); + assertNull(found.get(1).aliases()); + } + + @Test + void testListByAliases() { + var aliases = List.of("GHSA-23hm-7w47-xw72", "not_found", "GHSA-23hm-7w47-xw73"); + var found = repository.listByAliases(aliases); + assertEquals(3, found.size()); + for(int i = 0; i < aliases.size(); i++) { + assertNotNull(found.get(i)); + assertTrue(found.get(i).aliases().contains(aliases.get(i))); + } + assertNotNull(found.get(0).nvdData()); + assertNotNull(found.get(2).nvdData()); + assertNull(found.get(1).nvdData()); + + assertNotNull("CVE-2022-21721", found.get(0).cveId()); + assertEquals("CVE-2022-21722", found.get(2).cveId()); + assertNull(found.get(1).cveId()); + } +} diff --git a/src/test/resources/application.properties b/src/test/resources/application.properties index 28da79d..79628f5 100644 --- a/src/test/resources/application.properties +++ b/src/test/resources/application.properties @@ -1 +1,4 @@ -quarkus.mongodb.devservices.enabled=false \ No newline at end of file +migration.nvd.file.path=/tmp/cvelist + +quarkus.redis.devservices.image-name=redis/redis-stack:latest +quarkus.redis.load-script=vulnerabilities.redis \ No newline at end of file diff --git a/src/test/resources/vulnerabilities.redis b/src/test/resources/vulnerabilities.redis new file mode 100644 index 0000000..d4ed3a8 --- /dev/null +++ b/src/test/resources/vulnerabilities.redis @@ -0,0 +1,4 @@ +JSON.SET CVE-2022-21721 $ '{"aliases": ["BIT-tensorflow-2022-21721","PYSEC-2022-50","PYSEC-2022-105","GHSA-23hm-7w47-xw72"],"created": "2023-12-20T16:19:48.671+00:00","cveId": "CVE-2022-21721","lastModified": null,"nvdData": {"containers": {"cna": {"affected": [{"product": "n/a","vendor": "n/a","versions": [{"status": "affected","version": "n/a"}]}],"descriptions": [{"lang": "en","value": "Tensorflow is an Open Source Machine Learning Framework. The implementation of `Dequantize` does not fully validate the value of `axis` and can result in heap OOB accesses. The `axis` argument can be `-1` (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not checked and this results in reading past the end of the array containing the dimensions of the input tensor. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range."}],"metrics": [{"cvssV3_1": {"attackComplexity": "LOW","attackVector": "NETWORK","availabilityImpact": "HIGH","baseScore": 8.1,"baseSeverity": "HIGH","confidentialityImpact": "HIGH","integrityImpact": "NONE","privilegesRequired": "LOW","scope": "UNCHANGED","userInteraction": "NONE","vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","version": "3.1"}}],"problemTypes": [{"descriptions": [{"description": "n/a","lang": "en","type": "text"}]}],"providerMetadata": {"dateUpdated": "2022-02-03T11:01:42","orgId": "a0819718-46f1-4df5-94e2-005712e83aaa","shortName": "GitHub_M"},"references": [{"tags": ["x_refsource_CONFIRM"],"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-23hm-7w47-xw72"},{"tags": ["x_refsource_MISC"],"url": "https://github.com/tensorflow/tensorflow/commit/23968a8bf65b009120c43b5ebcceaf52dbc9e943"},{"tags": ["x_refsource_MISC"],"url": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/dequantize_op.cc#L92-L153"}],"source": {"advisory": "GHSA-23hm-7w47-xw72","discovery": "UNKNOWN"},"title": "Out of bounds read in Tensorflow","x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com","ID": "CVE-2022-21721","STATE": "PUBLIC","TITLE": "Out of bounds read in Tensorflow"},"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a","version": {"version_data": [{"version_value": "n/a"}]}}]},"vendor_name": "n/a"}]}},"data_format": "MITRE","data_type": "CVE","data_version": "4.0","description": {"description_data": [{"lang": "eng","value": "Tensorflow is an Open Source Machine Learning Framework. The implementation of `Dequantize` does not fully validate the value of `axis` and can result in heap OOB accesses. The `axis` argument can be `-1` (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not checked and this results in reading past the end of the array containing the dimensions of the input tensor. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range."}]},"impact": {"cvss": {"attackComplexity": "LOW","attackVector": "NETWORK","availabilityImpact": "HIGH","baseScore": 8.1,"baseSeverity": "HIGH","confidentialityImpact": "HIGH","integrityImpact": "NONE","privilegesRequired": "LOW","scope": "UNCHANGED","userInteraction": "NONE","vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","version": "3.1"}},"problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "n/a"}]}]},"references": {"reference_data": [{"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-23hm-7w47-xw72","refsource": "CONFIRM","url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-23hm-7w47-xw72"},{"name": "https://github.com/tensorflow/tensorflow/commit/23968a8bf65b009120c43b5ebcceaf52dbc9e943","refsource": "MISC","url": "https://github.com/tensorflow/tensorflow/commit/23968a8bf65b009120c43b5ebcceaf52dbc9e943"},{"name": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/dequantize_op.cc#L92-L153","refsource": "MISC","url": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/dequantize_op.cc#L92-L153"}]},"source": {"advisory": "GHSA-23hm-7w47-xw72","discovery": "UNKNOWN"}}}},"cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName": "GitHub_M","cveId": "CVE-2022-21721","datePublished": "2022-02-03T11:01:42","dateReserved": "2021-11-16T00:00:00","dateUpdated": "2022-02-03T11:01:42","state": "PUBLISHED"},"dataType": "CVE_RECORD","dataVersion": "5.0"}}' +JSON.SET CVE-2022-21722 $ '{"aliases": ["BIT-tensorflow-2022-21722","PYSEC-2022-51","PYSEC-2022-106","GHSA-23hm-7w47-xw73"],"created": "2023-12-20T17:19:48.671+00:00","cveId": "CVE-2022-21722","lastModified": null,"nvdData": {"containers": {"cna": {"affected": [{"product": "n/a","vendor": "n/a","versions": [{"status": "affected","version": "n/a"}]}],"descriptions": [{"lang": "en","value": "Tensorflow is an Open Source Machine Learning Framework. The implementation of `Dequantize` does not fully validate the value of `axis` and can result in heap OOB accesses. The `axis` argument can be `-1` (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not checked and this results in reading past the end of the array containing the dimensions of the input tensor. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range."}],"metrics": [{"cvssV3_1": {"attackComplexity": "LOW","attackVector": "NETWORK","availabilityImpact": "HIGH","baseScore": 8.1,"baseSeverity": "HIGH","confidentialityImpact": "HIGH","integrityImpact": "NONE","privilegesRequired": "LOW","scope": "UNCHANGED","userInteraction": "NONE","vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","version": "3.1"}}],"problemTypes": [{"descriptions": [{"description": "n/a","lang": "en","type": "text"}]}],"providerMetadata": {"dateUpdated": "2022-02-03T11:01:42","orgId": "a0819718-46f1-4df5-94e2-005712e83aaa","shortName": "GitHub_M"},"references": [{"tags": ["x_refsource_CONFIRM"],"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-23hm-7w47-xw73"},{"tags": ["x_refsource_MISC"],"url": "https://github.com/tensorflow/tensorflow/commit/23968a8bf65b009120c43b5ebcceaf52dbc9e943"},{"tags": ["x_refsource_MISC"],"url": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/dequantize_op.cc#L92-L153"}],"source": {"advisory": "GHSA-23hm-7w47-xw73","discovery": "UNKNOWN"},"title": "Out of bounds read in Tensorflow","x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com","ID": "CVE-2022-21722","STATE": "PUBLIC","TITLE": "Out of bounds read in Tensorflow"},"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a","version": {"version_data": [{"version_value": "n/a"}]}}]},"vendor_name": "n/a"}]}},"data_format": "MITRE","data_type": "CVE","data_version": "4.0","description": {"description_data": [{"lang": "eng","value": "Tensorflow is an Open Source Machine Learning Framework. The implementation of `Dequantize` does not fully validate the value of `axis` and can result in heap OOB accesses. The `axis` argument can be `-1` (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not checked and this results in reading past the end of the array containing the dimensions of the input tensor. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range."}]},"impact": {"cvss": {"attackComplexity": "LOW","attackVector": "NETWORK","availabilityImpact": "HIGH","baseScore": 8.1,"baseSeverity": "HIGH","confidentialityImpact": "HIGH","integrityImpact": "NONE","privilegesRequired": "LOW","scope": "UNCHANGED","userInteraction": "NONE","vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","version": "3.1"}},"problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "n/a"}]}]},"references": {"reference_data": [{"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-23hm-7w47-xw73","refsource": "CONFIRM","url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-23hm-7w47-xw72"},{"name": "https://github.com/tensorflow/tensorflow/commit/23968a8bf65b009120c43b5ebcceaf52dbc9e943","refsource": "MISC","url": "https://github.com/tensorflow/tensorflow/commit/23968a8bf65b009120c43b5ebcceaf52dbc9e943"},{"name": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/dequantize_op.cc#L92-L153","refsource": "MISC","url": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/dequantize_op.cc#L92-L153"}]},"source": {"advisory": "GHSA-23hm-7w47-xw73","discovery": "UNKNOWN"}}}},"cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName": "GitHub_M","cveId": "CVE-2022-21722","datePublished": "2022-02-03T11:01:42","dateReserved": "2021-11-16T00:00:00","dateUpdated": "2022-02-03T11:01:42","state": "PUBLISHED"},"dataType": "CVE_RECORD","dataVersion": "5.0"}}' +JSON.SET CVE-2022-21723 $ '{"aliases": ["BIT-tensorflow-2022-21723","PYSEC-2022-52","PYSEC-2022-107","GHSA-23hm-7w47-xw74"],"created": "2023-12-20T18:19:48.671+00:00","cveId": "CVE-2022-21723","lastModified": null,"nvdData": {"containers": {"cna": {"affected": [{"product": "n/a","vendor": "n/a","versions": [{"status": "affected","version": "n/a"}]}],"descriptions": [{"lang": "en","value": "Tensorflow is an Open Source Machine Learning Framework. The implementation of `Dequantize` does not fully validate the value of `axis` and can result in heap OOB accesses. The `axis` argument can be `-1` (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not checked and this results in reading past the end of the array containing the dimensions of the input tensor. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range."}],"metrics": [{"cvssV3_1": {"attackComplexity": "LOW","attackVector": "NETWORK","availabilityImpact": "HIGH","baseScore": 8.1,"baseSeverity": "HIGH","confidentialityImpact": "HIGH","integrityImpact": "NONE","privilegesRequired": "LOW","scope": "UNCHANGED","userInteraction": "NONE","vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","version": "3.1"}}],"problemTypes": [{"descriptions": [{"description": "n/a","lang": "en","type": "text"}]}],"providerMetadata": {"dateUpdated": "2022-02-03T11:01:42","orgId": "a0819718-46f1-4df5-94e2-005712e83aaa","shortName": "GitHub_M"},"references": [{"tags": ["x_refsource_CONFIRM"],"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-23hm-7w47-xw74"},{"tags": ["x_refsource_MISC"],"url": "https://github.com/tensorflow/tensorflow/commit/23968a8bf65b009120c43b5ebcceaf52dbc9e943"},{"tags": ["x_refsource_MISC"],"url": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/dequantize_op.cc#L92-L153"}],"source": {"advisory": "GHSA-23hm-7w47-xw74","discovery": "UNKNOWN"},"title": "Out of bounds read in Tensorflow","x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com","ID": "CVE-2022-21723","STATE": "PUBLIC","TITLE": "Out of bounds read in Tensorflow"},"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a","version": {"version_data": [{"version_value": "n/a"}]}}]},"vendor_name": "n/a"}]}},"data_format": "MITRE","data_type": "CVE","data_version": "4.0","description": {"description_data": [{"lang": "eng","value": "Tensorflow is an Open Source Machine Learning Framework. The implementation of `Dequantize` does not fully validate the value of `axis` and can result in heap OOB accesses. The `axis` argument can be `-1` (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not checked and this results in reading past the end of the array containing the dimensions of the input tensor. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range."}]},"impact": {"cvss": {"attackComplexity": "LOW","attackVector": "NETWORK","availabilityImpact": "HIGH","baseScore": 8.1,"baseSeverity": "HIGH","confidentialityImpact": "HIGH","integrityImpact": "NONE","privilegesRequired": "LOW","scope": "UNCHANGED","userInteraction": "NONE","vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","version": "3.1"}},"problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "n/a"}]}]},"references": {"reference_data": [{"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-23hm-7w47-xw74","refsource": "CONFIRM","url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-23hm-7w47-xw72"},{"name": "https://github.com/tensorflow/tensorflow/commit/23968a8bf65b009120c43b5ebcceaf52dbc9e943","refsource": "MISC","url": "https://github.com/tensorflow/tensorflow/commit/23968a8bf65b009120c43b5ebcceaf52dbc9e943"},{"name": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/dequantize_op.cc#L92-L153","refsource": "MISC","url": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/dequantize_op.cc#L92-L153"}]},"source": {"advisory": "GHSA-23hm-7w47-xw74","discovery": "UNKNOWN"}}}},"cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName": "GitHub_M","cveId": "CVE-2022-21723","datePublished": "2022-02-03T11:01:42","dateReserved": "2021-11-16T00:00:00","dateUpdated": "2022-02-03T11:01:42","state": "PUBLISHED"},"dataType": "CVE_RECORD","dataVersion": "5.0"}}' +JSON.SET CVE-2022-21724 $ '{"aliases": ["BIT-tensorflow-2022-21724","PYSEC-2022-53","PYSEC-2022-108","GHSA-23hm-7w47-xw75"],"created": "2023-12-20T19:19:48.671+00:00","cveId": "CVE-2022-21724","lastModified": null,"nvdData": {"containers": {"cna": {"affected": [{"product": "n/a","vendor": "n/a","versions": [{"status": "affected","version": "n/a"}]}],"descriptions": [{"lang": "en","value": "Tensorflow is an Open Source Machine Learning Framework. The implementation of `Dequantize` does not fully validate the value of `axis` and can result in heap OOB accesses. The `axis` argument can be `-1` (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not checked and this results in reading past the end of the array containing the dimensions of the input tensor. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range."}],"metrics": [{"cvssV3_1": {"attackComplexity": "LOW","attackVector": "NETWORK","availabilityImpact": "HIGH","baseScore": 8.1,"baseSeverity": "HIGH","confidentialityImpact": "HIGH","integrityImpact": "NONE","privilegesRequired": "LOW","scope": "UNCHANGED","userInteraction": "NONE","vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","version": "3.1"}}],"problemTypes": [{"descriptions": [{"description": "n/a","lang": "en","type": "text"}]}],"providerMetadata": {"dateUpdated": "2022-02-03T11:01:42","orgId": "a0819718-46f1-4df5-94e2-005712e83aaa","shortName": "GitHub_M"},"references": [{"tags": ["x_refsource_CONFIRM"],"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-23hm-7w47-xw75"},{"tags": ["x_refsource_MISC"],"url": "https://github.com/tensorflow/tensorflow/commit/23968a8bf65b009120c43b5ebcceaf52dbc9e943"},{"tags": ["x_refsource_MISC"],"url": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/dequantize_op.cc#L92-L153"}],"source": {"advisory": "GHSA-23hm-7w47-xw75","discovery": "UNKNOWN"},"title": "Out of bounds read in Tensorflow","x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com","ID": "CVE-2022-21724","STATE": "PUBLIC","TITLE": "Out of bounds read in Tensorflow"},"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a","version": {"version_data": [{"version_value": "n/a"}]}}]},"vendor_name": "n/a"}]}},"data_format": "MITRE","data_type": "CVE","data_version": "4.0","description": {"description_data": [{"lang": "eng","value": "Tensorflow is an Open Source Machine Learning Framework. The implementation of `Dequantize` does not fully validate the value of `axis` and can result in heap OOB accesses. The `axis` argument can be `-1` (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not checked and this results in reading past the end of the array containing the dimensions of the input tensor. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range."}]},"impact": {"cvss": {"attackComplexity": "LOW","attackVector": "NETWORK","availabilityImpact": "HIGH","baseScore": 8.1,"baseSeverity": "HIGH","confidentialityImpact": "HIGH","integrityImpact": "NONE","privilegesRequired": "LOW","scope": "UNCHANGED","userInteraction": "NONE","vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","version": "3.1"}},"problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "n/a"}]}]},"references": {"reference_data": [{"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-23hm-7w47-xw75","refsource": "CONFIRM","url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-23hm-7w47-xw72"},{"name": "https://github.com/tensorflow/tensorflow/commit/23968a8bf65b009120c43b5ebcceaf52dbc9e943","refsource": "MISC","url": "https://github.com/tensorflow/tensorflow/commit/23968a8bf65b009120c43b5ebcceaf52dbc9e943"},{"name": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/dequantize_op.cc#L92-L153","refsource": "MISC","url": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/dequantize_op.cc#L92-L153"}]},"source": {"advisory": "GHSA-23hm-7w47-xw75","discovery": "UNKNOWN"}}}},"cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName": "GitHub_M","cveId": "CVE-2022-21724","datePublished": "2022-02-03T11:01:42","dateReserved": "2021-11-16T00:00:00","dateUpdated": "2022-02-03T11:01:42","state": "PUBLISHED"},"dataType": "CVE_RECORD","dataVersion": "5.0"}}'