Created
May 31, 2023 05:37
-
-
Save Darkborderman/ec5764129617a786c189c9fe8e617727 to your computer and use it in GitHub Desktop.
Safety JSON
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"$meta": {"advisory": "PyUp.io metadata", "timestamp": 1685376188, "last_updated": "2023-05-29 16:03:08", "base_domain": "https://pyup.io", "schema_version": "1.0.0", "attribution": "Licensed under CC-BY-4.0 by pyup.io"}, "google-images-search": [{"specs": ["<1.3.8"], "advisory": "Google-images-search 1.3.8 updates its dependency 'Pillow' to version 8.1.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43481/f17", "id": "pyup.io-43481", "type": "cve", "cve": "CVE-2021-25292"}, {"specs": ["<1.3.8"], "advisory": "Google-images-search 1.3.8 updates its dependency 'Pillow' to version 8.1.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43484/f17", "id": "pyup.io-43484", "type": "cve", "cve": "CVE-2021-25290"}, {"specs": ["<1.3.8"], "advisory": "Google-images-search 1.3.8 updates its dependency 'Pillow' to version 8.1.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43483/f17", "id": "pyup.io-43483", "type": "cve", "cve": "CVE-2021-25291"}, {"specs": ["<1.3.8"], "advisory": "Google-images-search 1.3.8 updates its dependency 'Pillow' to version 8.1.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43482/f17", "id": "pyup.io-43482", "type": "cve", "cve": "CVE-2021-25293"}, {"specs": ["<1.3.8"], "advisory": "Google-images-search 1.3.8 updates its dependency 'Pillow' to version 8.1.1 to include security fixes.", "transitive": true, "more_info_path": "/v/40043/f17", "id": "pyup.io-40043", "type": "cve", "cve": "CVE-2020-35653"}, {"specs": ["<1.3.8"], "advisory": "Google-images-search 1.3.8 updates its dependency 'Pillow' to version 8.1.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43480/f17", "id": "pyup.io-43480", "type": "cve", "cve": "CVE-2020-35655"}, {"specs": ["<1.3.8"], "advisory": "Google-images-search 1.3.8 updates its dependency 'Pillow' to version 8.1.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43479/f17", "id": "pyup.io-43479", "type": "cve", "cve": "CVE-2020-35654"}, {"specs": ["<1.3.8"], "advisory": "Google-images-search 1.3.8 updates its dependency 'Pillow' to version 8.1.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43485/f17", "id": "pyup.io-43485", "type": "cve", "cve": "CVE-2021-25289"}], "sanic": [{"specs": ["<0.8.0"], "advisory": "Sanic version 0.8.0 fixes a vulnerability that allows users to inject code into redirected URLs.\r\nhttps://github.com/sanic-org/sanic/pull/1260", "transitive": false, "more_info_path": "/v/42108/f17", "id": "pyup.io-42108", "type": "pve", "cve": "PVE-2021-42108"}, {"specs": [">=0.1.7,<20.12.6"], "advisory": "Sanic v20.12 officially supports Python versions 3.6, 3.7, 3.8, and 3.9. However, if you accidentally run it with version 3.10 (**which is not supported by Sanic 20.12**), your server is prone to crashing on an incoming web request.\r\nhttps://github.com/sanic-org/sanic/security/advisories/GHSA-7p79-6x2v-5h88", "transitive": false, "more_info_path": "/v/55191/f17", "id": "pyup.io-55191", "type": "pve", "cve": "PVE-2023-55191"}, {"specs": ["<20.12.7", ">=21.3.0,<21.12.2", ">=22.3.0,<22.6.1"], "advisory": "Sanic 22.6.1, 21.12.2 and 20.12.7 include a fix for CVE-2022-35920: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').\r\nhttps://github.com/sanic-org/sanic/security/advisories/GHSA-8cw9-5hmv-77w6", "transitive": false, "more_info_path": "/v/50438/f17", "id": "pyup.io-50438", "type": "cve", "cve": "CVE-2022-35920"}, {"specs": ["<19.9.0"], "advisory": "Sanic versions before 19.9.0 had unsafe default settings. From 19.9.0 onwards, proxy settings must be set manually and support for negative PROXIES_COUNT has been removed.\r\nhttps://github.com/sanic-org/sanic/pull/1638", "transitive": false, "more_info_path": "/v/42109/f17", "id": "pyup.io-42109", "type": "pve", "cve": "PVE-2021-42109"}, {"specs": [">=0,<0.5.1"], "advisory": "Sanic before 0.5.1 allows reading arbitrary files with directory traversal, as demonstrated by the /static/..%2f substring.", "transitive": false, "more_info_path": "/v/53941/f17", "id": "pyup.io-53941", "type": "cve", "cve": "CVE-2017-16762"}], "pupyl": [{"specs": ["<0.10.5"], "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44982/f17", "id": "pyup.io-44982", "type": "cve", "cve": "CVE-2020-26268"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43926/f17", "id": "pyup.io-43926", "type": "cve", "cve": "CVE-2021-29606"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43884/f17", "id": "pyup.io-43884", "type": "cve", "cve": "CVE-2021-29533"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/39208/f17", "id": "pyup.io-39208", "type": "cve", "cve": "CVE-2020-15190"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "transitive": true, "more_info_path": "/v/43934/f17", "id": "pyup.io-43934", "type": "cve", "cve": "CVE-2021-29613"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46292/f17", "id": "pyup.io-46292", "type": "cve", "cve": "CVE-2021-37685"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46320/f17", "id": "pyup.io-46320", "type": "cve", "cve": "CVE-2021-41209"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46330/f17", "id": "pyup.io-46330", "type": "cve", "cve": "CVE-2021-41219"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46333/f17", "id": "pyup.io-46333", "type": "cve", "cve": "CVE-2021-41222"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46365/f17", "id": "pyup.io-46365", "type": "cve", "cve": "CVE-2022-23564"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "transitive": true, "more_info_path": "/v/43932/f17", "id": "pyup.io-43932", "type": "cve", "cve": "CVE-2021-29612"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43923/f17", "id": "pyup.io-43923", "type": "cve", "cve": "CVE-2021-29601"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46317/f17", "id": "pyup.io-46317", "type": "cve", "cve": "CVE-2021-41206"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43950/f17", "id": "pyup.io-43950", "type": "cve", "cve": "CVE-2021-29559"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43954/f17", "id": "pyup.io-43954", "type": "cve", "cve": "CVE-2021-29526"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43893/f17", "id": "pyup.io-43893", "type": "cve", "cve": "CVE-2021-29572"}, {"specs": ["<0.10.5"], "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44985/f17", "id": "pyup.io-44985", "type": "cve", "cve": "CVE-2020-26266"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46248/f17", "id": "pyup.io-46248", "type": "cve", "cve": "CVE-2021-37641"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46340/f17", "id": "pyup.io-46340", "type": "cve", "cve": "CVE-2020-10531"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43887/f17", "id": "pyup.io-43887", "type": "cve", "cve": "CVE-2021-29536"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46359/f17", "id": "pyup.io-46359", "type": "cve", "cve": "CVE-2022-23558"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43948/f17", "id": "pyup.io-43948", "type": "cve", "cve": "CVE-2021-29556"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43891/f17", "id": "pyup.io-43891", "type": "cve", "cve": "CVE-2021-29551"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43877/f17", "id": "pyup.io-43877", "type": "cve", "cve": "CVE-2021-29550"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46285/f17", "id": "pyup.io-46285", "type": "cve", "cve": "CVE-2021-37678"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46265/f17", "id": "pyup.io-46265", "type": "cve", "cve": "CVE-2021-37658"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46268/f17", "id": "pyup.io-46268", "type": "cve", "cve": "CVE-2021-37661"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46276/f17", "id": "pyup.io-46276", "type": "cve", "cve": "CVE-2021-37669"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46297/f17", "id": "pyup.io-46297", "type": "cve", "cve": "CVE-2021-37690"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46294/f17", "id": "pyup.io-46294", "type": "cve", "cve": "CVE-2021-37687"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46316/f17", "id": "pyup.io-46316", "type": "cve", "cve": "CVE-2021-41205"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46331/f17", "id": "pyup.io-46331", "type": "cve", "cve": "CVE-2021-41220"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46334/f17", "id": "pyup.io-46334", "type": "cve", "cve": "CVE-2021-41223"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46310/f17", "id": "pyup.io-46310", "type": "cve", "cve": "CVE-2021-41199"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46346/f17", "id": "pyup.io-46346", "type": "cve", "cve": "CVE-2022-21730"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46351/f17", "id": "pyup.io-46351", "type": "cve", "cve": "CVE-2022-21735"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46352/f17", "id": "pyup.io-46352", "type": "cve", "cve": "CVE-2022-21736"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46372/f17", "id": "pyup.io-46372", "type": "cve", "cve": "CVE-2022-23571"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43869/f17", "id": "pyup.io-43869", "type": "cve", "cve": "CVE-2021-29544"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46327/f17", "id": "pyup.io-46327", "type": "cve", "cve": "CVE-2021-41216"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46343/f17", "id": "pyup.io-46343", "type": "cve", "cve": "CVE-2022-21727"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46354/f17", "id": "pyup.io-46354", "type": "cve", "cve": "CVE-2022-21738"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43868/f17", "id": "pyup.io-43868", "type": "cve", "cve": "CVE-2021-29547"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "transitive": true, "more_info_path": "/v/43876/f17", "id": "pyup.io-43876", "type": "cve", "cve": "CVE-2021-29560"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46392/f17", "id": "pyup.io-46392", "type": "cve", "cve": "CVE-2022-23591"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46395/f17", "id": "pyup.io-46395", "type": "cve", "cve": "CVE-2022-23594"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43878/f17", "id": "pyup.io-43878", "type": "cve", "cve": "CVE-2021-29545"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43879/f17", "id": "pyup.io-43879", "type": "cve", "cve": "CVE-2021-29537"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43882/f17", "id": "pyup.io-43882", "type": "cve", "cve": "CVE-2021-29589"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43900/f17", "id": "pyup.io-43900", "type": "cve", "cve": "CVE-2021-29584"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43912/f17", "id": "pyup.io-43912", "type": "cve", "cve": "CVE-2021-29528"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43917/f17", "id": "pyup.io-43917", "type": "cve", "cve": "CVE-2021-29598"}, {"specs": ["<0.10.5"], "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44983/f17", "id": "pyup.io-44983", "type": "cve", "cve": "CVE-2020-26270"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43945/f17", "id": "pyup.io-43945", "type": "cve", "cve": "CVE-2021-29557"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "transitive": true, "more_info_path": "/v/40931/f17", "id": "pyup.io-40931", "type": "cve", "cve": "CVE-2021-29539"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/44998/f17", "id": "pyup.io-44998", "type": "cve", "cve": "CVE-2020-15197"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43924/f17", "id": "pyup.io-43924", "type": "cve", "cve": "CVE-2021-29605"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46250/f17", "id": "pyup.io-46250", "type": "cve", "cve": "CVE-2021-37643"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46266/f17", "id": "pyup.io-46266", "type": "cve", "cve": "CVE-2021-37659"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46256/f17", "id": "pyup.io-46256", "type": "cve", "cve": "CVE-2021-37649"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43967/f17", "id": "pyup.io-43967", "type": "cve", "cve": "CVE-2021-29577"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46257/f17", "id": "pyup.io-46257", "type": "cve", "cve": "CVE-2021-37650"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46269/f17", "id": "pyup.io-46269", "type": "cve", "cve": "CVE-2021-37662"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46275/f17", "id": "pyup.io-46275", "type": "cve", "cve": "CVE-2021-37668"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43964/f17", "id": "pyup.io-43964", "type": "cve", "cve": "CVE-2021-29574"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46383/f17", "id": "pyup.io-46383", "type": "cve", "cve": "CVE-2022-23582"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43920/f17", "id": "pyup.io-43920", "type": "cve", "cve": "CVE-2021-29600"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/44997/f17", "id": "pyup.io-44997", "type": "cve", "cve": "CVE-2020-15196"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43922/f17", "id": "pyup.io-43922", "type": "cve", "cve": "CVE-2021-29604"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45011/f17", "id": "pyup.io-45011", "type": "cve", "cve": "CVE-2020-15210"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43939/f17", "id": "pyup.io-43939", "type": "cve", "cve": "CVE-2021-29553"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43864/f17", "id": "pyup.io-43864", "type": "cve", "cve": "CVE-2020-8169"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43892/f17", "id": "pyup.io-43892", "type": "cve", "cve": "CVE-2021-29513"}, {"specs": ["<0.10.5"], "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44984/f17", "id": "pyup.io-44984", "type": "cve", "cve": "CVE-2020-26271"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/44999/f17", "id": "pyup.io-44999", "type": "cve", "cve": "CVE-2020-15198"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45004/f17", "id": "pyup.io-45004", "type": "cve", "cve": "CVE-2020-15203"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43902/f17", "id": "pyup.io-43902", "type": "cve", "cve": "CVE-2021-29585"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43903/f17", "id": "pyup.io-43903", "type": "cve", "cve": "CVE-2021-29586"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43940/f17", "id": "pyup.io-43940", "type": "cve", "cve": "CVE-2021-29552"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43916/f17", "id": "pyup.io-43916", "type": "cve", "cve": "CVE-2021-29529"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43857/f17", "id": "pyup.io-43857", "type": "cve", "cve": "CVE-2021-29525"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46246/f17", "id": "pyup.io-46246", "type": "cve", "cve": "CVE-2021-37639"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46243/f17", "id": "pyup.io-46243", "type": "cve", "cve": "CVE-2021-37636"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43955/f17", "id": "pyup.io-43955", "type": "cve", "cve": "CVE-2021-29516"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46279/f17", "id": "pyup.io-46279", "type": "cve", "cve": "CVE-2021-37672"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46284/f17", "id": "pyup.io-46284", "type": "cve", "cve": "CVE-2021-37677"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46321/f17", "id": "pyup.io-46321", "type": "cve", "cve": "CVE-2021-41210"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46338/f17", "id": "pyup.io-46338", "type": "cve", "cve": "CVE-2021-41227"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46377/f17", "id": "pyup.io-46377", "type": "cve", "cve": "CVE-2022-23576"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46380/f17", "id": "pyup.io-46380", "type": "cve", "cve": "CVE-2022-23579"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46387/f17", "id": "pyup.io-46387", "type": "cve", "cve": "CVE-2022-23586"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46348/f17", "id": "pyup.io-46348", "type": "cve", "cve": "CVE-2022-21732"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46379/f17", "id": "pyup.io-46379", "type": "cve", "cve": "CVE-2022-23578"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43890/f17", "id": "pyup.io-43890", "type": "cve", "cve": "CVE-2021-29608"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43909/f17", "id": "pyup.io-43909", "type": "cve", "cve": "CVE-2021-29594"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45001/f17", "id": "pyup.io-45001", "type": "cve", "cve": "CVE-2020-15200"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "transitive": true, "more_info_path": "/v/43969/f17", "id": "pyup.io-43969", "type": "cve", "cve": "CVE-2020-8285"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43915/f17", "id": "pyup.io-43915", "type": "cve", "cve": "CVE-2021-29530"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43885/f17", "id": "pyup.io-43885", "type": "cve", "cve": "CVE-2021-29535"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43873/f17", "id": "pyup.io-43873", "type": "cve", "cve": "CVE-2021-29568"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43906/f17", "id": "pyup.io-43906", "type": "cve", "cve": "CVE-2021-29592"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46254/f17", "id": "pyup.io-46254", "type": "cve", "cve": "CVE-2021-37647"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46364/f17", "id": "pyup.io-46364", "type": "cve", "cve": "CVE-2022-23563"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46373/f17", "id": "pyup.io-46373", "type": "cve", "cve": "CVE-2022-23572"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "transitive": true, "more_info_path": "/v/43907/f17", "id": "pyup.io-43907", "type": "cve", "cve": "CVE-2021-29591"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43918/f17", "id": "pyup.io-43918", "type": "cve", "cve": "CVE-2021-29531"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43960/f17", "id": "pyup.io-43960", "type": "cve", "cve": "CVE-2021-29570"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46304/f17", "id": "pyup.io-46304", "type": "cve", "cve": "CVE-2021-22925"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43910/f17", "id": "pyup.io-43910", "type": "cve", "cve": "CVE-2021-29527"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46289/f17", "id": "pyup.io-46289", "type": "cve", "cve": "CVE-2021-37682"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43965/f17", "id": "pyup.io-43965", "type": "cve", "cve": "CVE-2021-29576"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46245/f17", "id": "pyup.io-46245", "type": "cve", "cve": "CVE-2021-37638"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46247/f17", "id": "pyup.io-46247", "type": "cve", "cve": "CVE-2021-37640"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46253/f17", "id": "pyup.io-46253", "type": "cve", "cve": "CVE-2021-37646"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46280/f17", "id": "pyup.io-46280", "type": "cve", "cve": "CVE-2021-37673"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46283/f17", "id": "pyup.io-46283", "type": "cve", "cve": "CVE-2021-37676"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46311/f17", "id": "pyup.io-46311", "type": "cve", "cve": "CVE-2021-41200"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46312/f17", "id": "pyup.io-46312", "type": "cve", "cve": "CVE-2021-41201"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46325/f17", "id": "pyup.io-46325", "type": "cve", "cve": "CVE-2021-41214"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46328/f17", "id": "pyup.io-46328", "type": "cve", "cve": "CVE-2021-41217"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46356/f17", "id": "pyup.io-46356", "type": "cve", "cve": "CVE-2022-21740"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46358/f17", "id": "pyup.io-46358", "type": "cve", "cve": "CVE-2022-23557"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46349/f17", "id": "pyup.io-46349", "type": "cve", "cve": "CVE-2022-21733"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46367/f17", "id": "pyup.io-46367", "type": "cve", "cve": "CVE-2022-23566"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46374/f17", "id": "pyup.io-46374", "type": "cve", "cve": "CVE-2022-23573"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/44996/f17", "id": "pyup.io-44996", "type": "cve", "cve": "CVE-2020-15195"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43953/f17", "id": "pyup.io-43953", "type": "cve", "cve": "CVE-2021-29518"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43935/f17", "id": "pyup.io-43935", "type": "cve", "cve": "CVE-2021-29615"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "transitive": true, "more_info_path": "/v/43947/f17", "id": "pyup.io-43947", "type": "cve", "cve": "CVE-2020-8231"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "transitive": true, "more_info_path": "/v/43951/f17", "id": "pyup.io-43951", "type": "cve", "cve": "CVE-2020-8286"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46324/f17", "id": "pyup.io-46324", "type": "cve", "cve": "CVE-2021-41213"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46337/f17", "id": "pyup.io-46337", "type": "cve", "cve": "CVE-2021-41226"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45016/f17", "id": "pyup.io-45016", "type": "cve", "cve": "CVE-2020-15358"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43904/f17", "id": "pyup.io-43904", "type": "cve", "cve": "CVE-2021-29588"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46366/f17", "id": "pyup.io-46366", "type": "cve", "cve": "CVE-2022-23565"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46382/f17", "id": "pyup.io-46382", "type": "cve", "cve": "CVE-2022-23581"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46396/f17", "id": "pyup.io-46396", "type": "cve", "cve": "CVE-2022-23595"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46360/f17", "id": "pyup.io-46360", "type": "cve", "cve": "CVE-2022-23559"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46362/f17", "id": "pyup.io-46362", "type": "cve", "cve": "CVE-2022-23561"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43858/f17", "id": "pyup.io-43858", "type": "cve", "cve": "CVE-2021-29519"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46381/f17", "id": "pyup.io-46381", "type": "cve", "cve": "CVE-2022-23580"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46384/f17", "id": "pyup.io-46384", "type": "cve", "cve": "CVE-2022-23583"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46390/f17", "id": "pyup.io-46390", "type": "cve", "cve": "CVE-2022-23589"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43883/f17", "id": "pyup.io-43883", "type": "cve", "cve": "CVE-2021-29512"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43895/f17", "id": "pyup.io-43895", "type": "cve", "cve": "CVE-2021-29578"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46242/f17", "id": "pyup.io-46242", "type": "cve", "cve": "CVE-2021-37635"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43866/f17", "id": "pyup.io-43866", "type": "cve", "cve": "CVE-2021-29616"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45008/f17", "id": "pyup.io-45008", "type": "cve", "cve": "CVE-2020-15207"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45015/f17", "id": "pyup.io-45015", "type": "cve", "cve": "CVE-2020-15214"}, {"specs": ["<0.10.5"], "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44989/f17", "id": "pyup.io-44989", "type": "cve", "cve": "CVE-2020-13790"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43894/f17", "id": "pyup.io-43894", "type": "cve", "cve": "CVE-2021-29580"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46296/f17", "id": "pyup.io-46296", "type": "cve", "cve": "CVE-2021-37689"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46249/f17", "id": "pyup.io-46249", "type": "cve", "cve": "CVE-2021-37642"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43959/f17", "id": "pyup.io-43959", "type": "cve", "cve": "CVE-2021-29561"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46264/f17", "id": "pyup.io-46264", "type": "cve", "cve": "CVE-2021-37657"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46271/f17", "id": "pyup.io-46271", "type": "cve", "cve": "CVE-2021-37664"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46350/f17", "id": "pyup.io-46350", "type": "cve", "cve": "CVE-2022-21734"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46370/f17", "id": "pyup.io-46370", "type": "cve", "cve": "CVE-2022-23569"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46378/f17", "id": "pyup.io-46378", "type": "cve", "cve": "CVE-2022-23577"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46386/f17", "id": "pyup.io-46386", "type": "cve", "cve": "CVE-2022-23585"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43886/f17", "id": "pyup.io-43886", "type": "cve", "cve": "CVE-2021-29548"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43963/f17", "id": "pyup.io-43963", "type": "cve", "cve": "CVE-2021-29515"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "transitive": true, "more_info_path": "/v/43861/f17", "id": "pyup.io-43861", "type": "cve", "cve": "CVE-2021-29520"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43970/f17", "id": "pyup.io-43970", "type": "cve", "cve": "CVE-2021-37686"}, {"specs": ["<0.10.5"], "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44990/f17", "id": "pyup.io-44990", "type": "cve", "cve": "CVE-2020-15265"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/44995/f17", "id": "pyup.io-44995", "type": "cve", "cve": "CVE-2020-15194"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43880/f17", "id": "pyup.io-43880", "type": "cve", "cve": "CVE-2021-29514"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43889/f17", "id": "pyup.io-43889", "type": "cve", "cve": "CVE-2021-29540"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "transitive": true, "more_info_path": "/v/43901/f17", "id": "pyup.io-43901", "type": "cve", "cve": "CVE-2021-29583"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46293/f17", "id": "pyup.io-46293", "type": "cve", "cve": "CVE-2021-37686"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46240/f17", "id": "pyup.io-46240", "type": "cve", "cve": "CVE-2021-22898"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46303/f17", "id": "pyup.io-46303", "type": "cve", "cve": "CVE-2021-22924"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46259/f17", "id": "pyup.io-46259", "type": "cve", "cve": "CVE-2021-37652"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43933/f17", "id": "pyup.io-43933", "type": "cve", "cve": "CVE-2021-29546"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43958/f17", "id": "pyup.io-43958", "type": "cve", "cve": "CVE-2021-29562"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43896/f17", "id": "pyup.io-43896", "type": "cve", "cve": "CVE-2021-29579"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46270/f17", "id": "pyup.io-46270", "type": "cve", "cve": "CVE-2021-37663"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43956/f17", "id": "pyup.io-43956", "type": "cve", "cve": "CVE-2021-29517"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46298/f17", "id": "pyup.io-46298", "type": "cve", "cve": "CVE-2021-37691"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46244/f17", "id": "pyup.io-46244", "type": "cve", "cve": "CVE-2021-37637"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43927/f17", "id": "pyup.io-43927", "type": "cve", "cve": "CVE-2021-29542"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46286/f17", "id": "pyup.io-46286", "type": "cve", "cve": "CVE-2021-37679"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43962/f17", "id": "pyup.io-43962", "type": "cve", "cve": "CVE-2021-29573"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46277/f17", "id": "pyup.io-46277", "type": "cve", "cve": "CVE-2021-37670"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43872/f17", "id": "pyup.io-43872", "type": "cve", "cve": "CVE-2021-29587"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46355/f17", "id": "pyup.io-46355", "type": "cve", "cve": "CVE-2022-21739"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46375/f17", "id": "pyup.io-46375", "type": "cve", "cve": "CVE-2022-23574"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43957/f17", "id": "pyup.io-43957", "type": "cve", "cve": "CVE-2021-29569"}, {"specs": ["<0.10.5"], "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44988/f17", "id": "pyup.io-44988", "type": "cve", "cve": "CVE-2020-14155"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46305/f17", "id": "pyup.io-46305", "type": "cve", "cve": "CVE-2021-22926"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46302/f17", "id": "pyup.io-46302", "type": "cve", "cve": "CVE-2021-22923"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43875/f17", "id": "pyup.io-43875", "type": "cve", "cve": "CVE-2021-29563"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46318/f17", "id": "pyup.io-46318", "type": "cve", "cve": "CVE-2021-41207"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46314/f17", "id": "pyup.io-46314", "type": "cve", "cve": "CVE-2021-41203"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46255/f17", "id": "pyup.io-46255", "type": "cve", "cve": "CVE-2021-37648"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46332/f17", "id": "pyup.io-46332", "type": "cve", "cve": "CVE-2021-41221"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46335/f17", "id": "pyup.io-46335", "type": "cve", "cve": "CVE-2021-41224"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46341/f17", "id": "pyup.io-46341", "type": "cve", "cve": "CVE-2022-21725"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46371/f17", "id": "pyup.io-46371", "type": "cve", "cve": "CVE-2022-23570"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43860/f17", "id": "pyup.io-43860", "type": "cve", "cve": "CVE-2021-29524"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46309/f17", "id": "pyup.io-46309", "type": "cve", "cve": "CVE-2021-41198"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "transitive": true, "more_info_path": "/v/43961/f17", "id": "pyup.io-43961", "type": "cve", "cve": "CVE-2021-29575"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43925/f17", "id": "pyup.io-43925", "type": "cve", "cve": "CVE-2021-29603"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46274/f17", "id": "pyup.io-46274", "type": "cve", "cve": "CVE-2021-37667"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43913/f17", "id": "pyup.io-43913", "type": "cve", "cve": "CVE-2021-29593"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43888/f17", "id": "pyup.io-43888", "type": "cve", "cve": "CVE-2021-29538"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45002/f17", "id": "pyup.io-45002", "type": "cve", "cve": "CVE-2020-15201"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46344/f17", "id": "pyup.io-46344", "type": "cve", "cve": "CVE-2022-21728"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "transitive": true, "more_info_path": "/v/43968/f17", "id": "pyup.io-43968", "type": "cve", "cve": "CVE-2021-29614"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43867/f17", "id": "pyup.io-43867", "type": "cve", "cve": "CVE-2021-29543"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46273/f17", "id": "pyup.io-46273", "type": "cve", "cve": "CVE-2021-37666"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43908/f17", "id": "pyup.io-43908", "type": "cve", "cve": "CVE-2021-29595"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46291/f17", "id": "pyup.io-46291", "type": "cve", "cve": "CVE-2021-37684"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46251/f17", "id": "pyup.io-46251", "type": "cve", "cve": "CVE-2021-37644"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46295/f17", "id": "pyup.io-46295", "type": "cve", "cve": "CVE-2021-37688"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46252/f17", "id": "pyup.io-46252", "type": "cve", "cve": "CVE-2021-37645"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46263/f17", "id": "pyup.io-46263", "type": "cve", "cve": "CVE-2021-37656"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46290/f17", "id": "pyup.io-46290", "type": "cve", "cve": "CVE-2021-37683"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46287/f17", "id": "pyup.io-46287", "type": "cve", "cve": "CVE-2021-37680"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46299/f17", "id": "pyup.io-46299", "type": "cve", "cve": "CVE-2021-37692"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46313/f17", "id": "pyup.io-46313", "type": "cve", "cve": "CVE-2021-41202"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46239/f17", "id": "pyup.io-46239", "type": "cve", "cve": "CVE-2021-22897"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46319/f17", "id": "pyup.io-46319", "type": "cve", "cve": "CVE-2021-41208"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46322/f17", "id": "pyup.io-46322", "type": "cve", "cve": "CVE-2021-41211"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46326/f17", "id": "pyup.io-46326", "type": "cve", "cve": "CVE-2021-41215"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46329/f17", "id": "pyup.io-46329", "type": "cve", "cve": "CVE-2021-41218"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/44992/f17", "id": "pyup.io-44992", "type": "cve", "cve": "CVE-2020-15191"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46339/f17", "id": "pyup.io-46339", "type": "cve", "cve": "CVE-2021-41228"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43859/f17", "id": "pyup.io-43859", "type": "cve", "cve": "CVE-2021-29522"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46347/f17", "id": "pyup.io-46347", "type": "cve", "cve": "CVE-2022-21731"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46361/f17", "id": "pyup.io-46361", "type": "cve", "cve": "CVE-2022-23560"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46368/f17", "id": "pyup.io-46368", "type": "cve", "cve": "CVE-2022-23567"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43870/f17", "id": "pyup.io-43870", "type": "cve", "cve": "CVE-2021-29534"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43874/f17", "id": "pyup.io-43874", "type": "cve", "cve": "CVE-2021-29566"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43898/f17", "id": "pyup.io-43898", "type": "cve", "cve": "CVE-2021-29581"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43911/f17", "id": "pyup.io-43911", "type": "cve", "cve": "CVE-2021-29596"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43856/f17", "id": "pyup.io-43856", "type": "cve", "cve": "CVE-2021-29523"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45000/f17", "id": "pyup.io-45000", "type": "cve", "cve": "CVE-2020-15199"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43862/f17", "id": "pyup.io-43862", "type": "cve", "cve": "CVE-2021-29564"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46258/f17", "id": "pyup.io-46258", "type": "cve", "cve": "CVE-2021-37651"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43929/f17", "id": "pyup.io-43929", "type": "cve", "cve": "CVE-2021-29609"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46267/f17", "id": "pyup.io-46267", "type": "cve", "cve": "CVE-2021-37660"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46282/f17", "id": "pyup.io-46282", "type": "cve", "cve": "CVE-2021-37675"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46385/f17", "id": "pyup.io-46385", "type": "cve", "cve": "CVE-2022-23584"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43863/f17", "id": "pyup.io-43863", "type": "cve", "cve": "CVE-2021-29521"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43881/f17", "id": "pyup.io-43881", "type": "cve", "cve": "CVE-2021-29567"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43899/f17", "id": "pyup.io-43899", "type": "cve", "cve": "CVE-2021-29582"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45007/f17", "id": "pyup.io-45007", "type": "cve", "cve": "CVE-2020-15206"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43921/f17", "id": "pyup.io-43921", "type": "cve", "cve": "CVE-2021-29602"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43930/f17", "id": "pyup.io-43930", "type": "cve", "cve": "CVE-2021-29607"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43865/f17", "id": "pyup.io-43865", "type": "cve", "cve": "CVE-2021-29532"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43914/f17", "id": "pyup.io-43914", "type": "cve", "cve": "CVE-2021-29597"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43919/f17", "id": "pyup.io-43919", "type": "cve", "cve": "CVE-2021-29599"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45009/f17", "id": "pyup.io-45009", "type": "cve", "cve": "CVE-2020-15208"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43931/f17", "id": "pyup.io-43931", "type": "cve", "cve": "CVE-2021-29611"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43936/f17", "id": "pyup.io-43936", "type": "cve", "cve": "CVE-2021-29549"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43938/f17", "id": "pyup.io-43938", "type": "cve", "cve": "CVE-2021-29617"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43944/f17", "id": "pyup.io-43944", "type": "cve", "cve": "CVE-2021-29555"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43941/f17", "id": "pyup.io-43941", "type": "cve", "cve": "CVE-2021-29619"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43928/f17", "id": "pyup.io-43928", "type": "cve", "cve": "CVE-2021-29541"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46391/f17", "id": "pyup.io-46391", "type": "cve", "cve": "CVE-2022-23590"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46315/f17", "id": "pyup.io-46315", "type": "cve", "cve": "CVE-2021-41204"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46345/f17", "id": "pyup.io-46345", "type": "cve", "cve": "CVE-2022-21729"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46357/f17", "id": "pyup.io-46357", "type": "cve", "cve": "CVE-2022-21741"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46281/f17", "id": "pyup.io-46281", "type": "cve", "cve": "CVE-2021-37674"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43905/f17", "id": "pyup.io-43905", "type": "cve", "cve": "CVE-2021-29590"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45014/f17", "id": "pyup.io-45014", "type": "cve", "cve": "CVE-2020-15213"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45005/f17", "id": "pyup.io-45005", "type": "cve", "cve": "CVE-2020-15204"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45003/f17", "id": "pyup.io-45003", "type": "cve", "cve": "CVE-2020-15202"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46353/f17", "id": "pyup.io-46353", "type": "cve", "cve": "CVE-2022-21737"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46300/f17", "id": "pyup.io-46300", "type": "cve", "cve": "CVE-2021-22922"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46376/f17", "id": "pyup.io-46376", "type": "cve", "cve": "CVE-2022-23575"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46388/f17", "id": "pyup.io-46388", "type": "cve", "cve": "CVE-2022-23587"}, {"specs": ["<0.10.5"], "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44991/f17", "id": "pyup.io-44991", "type": "cve", "cve": "CVE-2020-15266"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46323/f17", "id": "pyup.io-46323", "type": "cve", "cve": "CVE-2021-41212"}, {"specs": ["<0.10.5"], "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44986/f17", "id": "pyup.io-44986", "type": "cve", "cve": "CVE-2019-20838"}, {"specs": ["<0.10.5"], "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44987/f17", "id": "pyup.io-44987", "type": "cve", "cve": "CVE-2020-15250"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45013/f17", "id": "pyup.io-45013", "type": "cve", "cve": "CVE-2020-15212"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46342/f17", "id": "pyup.io-46342", "type": "cve", "cve": "CVE-2022-21726"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46394/f17", "id": "pyup.io-46394", "type": "cve", "cve": "CVE-2022-23593"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45010/f17", "id": "pyup.io-45010", "type": "cve", "cve": "CVE-2020-15209"}, {"specs": ["<0.10.5"], "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", "transitive": true, "more_info_path": "/v/39392/f17", "id": "pyup.io-39392", "type": "cve", "cve": "CVE-2020-26267"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45012/f17", "id": "pyup.io-45012", "type": "cve", "cve": "CVE-2020-15211"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43942/f17", "id": "pyup.io-43942", "type": "cve", "cve": "CVE-2021-29554"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/44993/f17", "id": "pyup.io-44993", "type": "cve", "cve": "CVE-2020-15192"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/44994/f17", "id": "pyup.io-44994", "type": "cve", "cve": "CVE-2020-15193"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43937/f17", "id": "pyup.io-43937", "type": "cve", "cve": "CVE-2021-29618"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "transitive": true, "more_info_path": "/v/43943/f17", "id": "pyup.io-43943", "type": "cve", "cve": "CVE-2020-8177"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "transitive": true, "more_info_path": "/v/43946/f17", "id": "pyup.io-43946", "type": "cve", "cve": "CVE-2020-8284"}, {"specs": ["<0.10.6"], "advisory": "Pupyl before 0.10.6 includes Tensorflow 2.3.1 which has security issues (see issue 73) and should therefore be upgraded to 2.4.0. However, the last version of Tensorflow has issues on its compilation (see Tensorflow issue 45744), and hence must be downgraded to ensure that the library still works.", "transitive": false, "more_info_path": "/v/39400/f17", "id": "pyup.io-39400", "type": "pve", "cve": "PVE-2021-39400"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43952/f17", "id": "pyup.io-43952", "type": "cve", "cve": "CVE-2021-29565"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46363/f17", "id": "pyup.io-46363", "type": "cve", "cve": "CVE-2022-23562"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46389/f17", "id": "pyup.io-46389", "type": "cve", "cve": "CVE-2022-23588"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46238/f17", "id": "pyup.io-46238", "type": "cve", "cve": "CVE-2021-22876"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46241/f17", "id": "pyup.io-46241", "type": "cve", "cve": "CVE-2021-22901"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "transitive": true, "more_info_path": "/v/43871/f17", "id": "pyup.io-43871", "type": "cve", "cve": "CVE-2021-29610"}, {"specs": ["<0.10.4"], "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45006/f17", "id": "pyup.io-45006", "type": "cve", "cve": "CVE-2020-15205"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46336/f17", "id": "pyup.io-46336", "type": "cve", "cve": "CVE-2021-41225"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46393/f17", "id": "pyup.io-46393", "type": "cve", "cve": "CVE-2022-23592"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43966/f17", "id": "pyup.io-43966", "type": "cve", "cve": "CVE-2021-29571"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46262/f17", "id": "pyup.io-46262", "type": "cve", "cve": "CVE-2021-37655"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46272/f17", "id": "pyup.io-46272", "type": "cve", "cve": "CVE-2021-37665"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46278/f17", "id": "pyup.io-46278", "type": "cve", "cve": "CVE-2021-37671"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46261/f17", "id": "pyup.io-46261", "type": "cve", "cve": "CVE-2021-37654"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46260/f17", "id": "pyup.io-46260", "type": "cve", "cve": "CVE-2021-37653"}, {"specs": ["<0.11.1"], "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "transitive": true, "more_info_path": "/v/43949/f17", "id": "pyup.io-43949", "type": "cve", "cve": "CVE-2021-29558"}, {"specs": ["<0.12.1"], "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46288/f17", "id": "pyup.io-46288", "type": "cve", "cve": "CVE-2021-37681"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46306/f17", "id": "pyup.io-46306", "type": "cve", "cve": "CVE-2021-41195"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46307/f17", "id": "pyup.io-46307", "type": "cve", "cve": "CVE-2021-41196"}, {"specs": ["<0.12.4"], "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46308/f17", "id": "pyup.io-46308", "type": "cve", "cve": "CVE-2021-41197"}, {"specs": ["<0.13.2"], "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46369/f17", "id": "pyup.io-46369", "type": "cve", "cve": "CVE-2022-23568"}], "jina": [{"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/41713/f17", "id": "pyup.io-41713", "type": "cve", "cve": "CVE-2021-29539"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44105/f17", "id": "pyup.io-44105", "type": "cve", "cve": "CVE-2021-29584"}, {"specs": ["<2.0.24"], "advisory": "Jina version 2.0.24 updates its dependency \"pillow\" to v8.3.2 to include security fixes.", "transitive": true, "more_info_path": "/v/41712/f17", "id": "pyup.io-41712", "type": "cve", "cve": "CVE-2021-23437"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44097/f17", "id": "pyup.io-44097", "type": "cve", "cve": "CVE-2021-29513"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44170/f17", "id": "pyup.io-44170", "type": "cve", "cve": "CVE-2021-29571"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44115/f17", "id": "pyup.io-44115", "type": "cve", "cve": "CVE-2021-29596"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44108/f17", "id": "pyup.io-44108", "type": "cve", "cve": "CVE-2021-29588"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44122/f17", "id": "pyup.io-44122", "type": "cve", "cve": "CVE-2021-29598"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44092/f17", "id": "pyup.io-44092", "type": "cve", "cve": "CVE-2021-29536"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44157/f17", "id": "pyup.io-44157", "type": "cve", "cve": "CVE-2021-29526"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44148/f17", "id": "pyup.io-44148", "type": "cve", "cve": "CVE-2020-8231"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44151/f17", "id": "pyup.io-44151", "type": "cve", "cve": "CVE-2021-29556"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44076/f17", "id": "pyup.io-44076", "type": "cve", "cve": "CVE-2021-29610"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44144/f17", "id": "pyup.io-44144", "type": "cve", "cve": "CVE-2021-29552"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44136/f17", "id": "pyup.io-44136", "type": "cve", "cve": "CVE-2021-29549"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44119/f17", "id": "pyup.io-44119", "type": "cve", "cve": "CVE-2021-29529"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44088/f17", "id": "pyup.io-44088", "type": "cve", "cve": "CVE-2021-29512"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44145/f17", "id": "pyup.io-44145", "type": "cve", "cve": "CVE-2021-29554"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44126/f17", "id": "pyup.io-44126", "type": "cve", "cve": "CVE-2021-29603"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44173/f17", "id": "pyup.io-44173", "type": "cve", "cve": "CVE-2021-29614"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44101/f17", "id": "pyup.io-44101", "type": "cve", "cve": "CVE-2021-29579"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44163/f17", "id": "pyup.io-44163", "type": "cve", "cve": "CVE-2021-29562"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44072/f17", "id": "pyup.io-44072", "type": "cve", "cve": "CVE-2021-29543"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44159/f17", "id": "pyup.io-44159", "type": "cve", "cve": "CVE-2021-29516"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44133/f17", "id": "pyup.io-44133", "type": "cve", "cve": "CVE-2021-29611"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44117/f17", "id": "pyup.io-44117", "type": "cve", "cve": "CVE-2021-29528"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44090/f17", "id": "pyup.io-44090", "type": "cve", "cve": "CVE-2021-29535"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44074/f17", "id": "pyup.io-44074", "type": "cve", "cve": "CVE-2021-29544"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44120/f17", "id": "pyup.io-44120", "type": "cve", "cve": "CVE-2021-29597"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44061/f17", "id": "pyup.io-44061", "type": "cve", "cve": "CVE-2021-29525"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44082/f17", "id": "pyup.io-44082", "type": "cve", "cve": "CVE-2021-29550"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44080/f17", "id": "pyup.io-44080", "type": "cve", "cve": "CVE-2021-29563"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44113/f17", "id": "pyup.io-44113", "type": "cve", "cve": "CVE-2021-29595"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44077/f17", "id": "pyup.io-44077", "type": "cve", "cve": "CVE-2021-29587"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44118/f17", "id": "pyup.io-44118", "type": "cve", "cve": "CVE-2021-29530"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44156/f17", "id": "pyup.io-44156", "type": "cve", "cve": "CVE-2021-29518"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44110/f17", "id": "pyup.io-44110", "type": "cve", "cve": "CVE-2021-29591"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44111/f17", "id": "pyup.io-44111", "type": "cve", "cve": "CVE-2021-29592"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44084/f17", "id": "pyup.io-44084", "type": "cve", "cve": "CVE-2021-29537"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44065/f17", "id": "pyup.io-44065", "type": "cve", "cve": "CVE-2021-29520"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44066/f17", "id": "pyup.io-44066", "type": "cve", "cve": "CVE-2021-29564"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44106/f17", "id": "pyup.io-44106", "type": "cve", "cve": "CVE-2021-29585"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44081/f17", "id": "pyup.io-44081", "type": "cve", "cve": "CVE-2021-29560"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44095/f17", "id": "pyup.io-44095", "type": "cve", "cve": "CVE-2021-29608"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44153/f17", "id": "pyup.io-44153", "type": "cve", "cve": "CVE-2021-29559"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44079/f17", "id": "pyup.io-44079", "type": "cve", "cve": "CVE-2021-29566"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44152/f17", "id": "pyup.io-44152", "type": "cve", "cve": "CVE-2021-29558"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44112/f17", "id": "pyup.io-44112", "type": "cve", "cve": "CVE-2021-29594"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44167/f17", "id": "pyup.io-44167", "type": "cve", "cve": "CVE-2021-29573"}, {"specs": ["<3.4.5"], "advisory": "Jina 3.4.5 installs latest security updates in its docker image. Old script wasn't doing it correctly.\r\nhttps://github.com/jina-ai/jina/commit/aa2d7c8d4cf2d3e9b9f5d4315ce24f2f6a3276a3", "transitive": true, "more_info_path": "/v/48611/f17", "id": "pyup.io-48611", "type": "pve", "cve": "PVE-2022-48611"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44142/f17", "id": "pyup.io-44142", "type": "cve", "cve": "CVE-2021-29552"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44161/f17", "id": "pyup.io-44161", "type": "cve", "cve": "CVE-2021-29569"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44063/f17", "id": "pyup.io-44063", "type": "cve", "cve": "CVE-2021-29522"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44140/f17", "id": "pyup.io-44140", "type": "cve", "cve": "CVE-2021-29618"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44139/f17", "id": "pyup.io-44139", "type": "cve", "cve": "CVE-2021-29617"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44075/f17", "id": "pyup.io-44075", "type": "cve", "cve": "CVE-2021-29534"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44164/f17", "id": "pyup.io-44164", "type": "cve", "cve": "CVE-2021-29570"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44135/f17", "id": "pyup.io-44135", "type": "cve", "cve": "CVE-2021-29546"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44129/f17", "id": "pyup.io-44129", "type": "cve", "cve": "CVE-2021-29542"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44070/f17", "id": "pyup.io-44070", "type": "cve", "cve": "CVE-2021-29532"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44166/f17", "id": "pyup.io-44166", "type": "cve", "cve": "CVE-2021-29515"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44083/f17", "id": "pyup.io-44083", "type": "cve", "cve": "CVE-2021-29545"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44068/f17", "id": "pyup.io-44068", "type": "cve", "cve": "CVE-2021-29523"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44067/f17", "id": "pyup.io-44067", "type": "cve", "cve": "CVE-2021-29521"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44069/f17", "id": "pyup.io-44069", "type": "cve", "cve": "CVE-2020-8169"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44143/f17", "id": "pyup.io-44143", "type": "cve", "cve": "CVE-2021-29619"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44085/f17", "id": "pyup.io-44085", "type": "cve", "cve": "CVE-2021-29514"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44158/f17", "id": "pyup.io-44158", "type": "cve", "cve": "CVE-2021-29516"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44104/f17", "id": "pyup.io-44104", "type": "cve", "cve": "CVE-2021-29583"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44098/f17", "id": "pyup.io-44098", "type": "cve", "cve": "CVE-2021-29572"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44071/f17", "id": "pyup.io-44071", "type": "cve", "cve": "CVE-2021-29616"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44062/f17", "id": "pyup.io-44062", "type": "cve", "cve": "CVE-2021-29519"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44155/f17", "id": "pyup.io-44155", "type": "cve", "cve": "CVE-2020-8286"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44154/f17", "id": "pyup.io-44154", "type": "cve", "cve": "CVE-2021-29565"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44137/f17", "id": "pyup.io-44137", "type": "cve", "cve": "CVE-2021-29613"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44134/f17", "id": "pyup.io-44134", "type": "cve", "cve": "CVE-2021-29612"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44096/f17", "id": "pyup.io-44096", "type": "cve", "cve": "CVE-2021-29551"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44086/f17", "id": "pyup.io-44086", "type": "cve", "cve": "CVE-2021-29567"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44171/f17", "id": "pyup.io-44171", "type": "cve", "cve": "CVE-2021-29577"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44089/f17", "id": "pyup.io-44089", "type": "cve", "cve": "CVE-2021-29533"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44107/f17", "id": "pyup.io-44107", "type": "cve", "cve": "CVE-2021-29586"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44149/f17", "id": "pyup.io-44149", "type": "cve", "cve": "CVE-2021-29557"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44100/f17", "id": "pyup.io-44100", "type": "cve", "cve": "CVE-2021-29578"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44160/f17", "id": "pyup.io-44160", "type": "cve", "cve": "CVE-2021-29517"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44127/f17", "id": "pyup.io-44127", "type": "cve", "cve": "CVE-2021-29605"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44114/f17", "id": "pyup.io-44114", "type": "cve", "cve": "CVE-2021-29593"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44125/f17", "id": "pyup.io-44125", "type": "cve", "cve": "CVE-2021-29601"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44128/f17", "id": "pyup.io-44128", "type": "cve", "cve": "CVE-2021-29606"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44094/f17", "id": "pyup.io-44094", "type": "cve", "cve": "CVE-2021-29540"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44172/f17", "id": "pyup.io-44172", "type": "cve", "cve": "CVE-2020-8285"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44169/f17", "id": "pyup.io-44169", "type": "cve", "cve": "CVE-2021-29576"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44124/f17", "id": "pyup.io-44124", "type": "cve", "cve": "CVE-2021-29600"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44121/f17", "id": "pyup.io-44121", "type": "cve", "cve": "CVE-2021-29531"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44130/f17", "id": "pyup.io-44130", "type": "cve", "cve": "CVE-2021-29541"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44132/f17", "id": "pyup.io-44132", "type": "cve", "cve": "CVE-2021-29609"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44073/f17", "id": "pyup.io-44073", "type": "cve", "cve": "CVE-2021-29547"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44162/f17", "id": "pyup.io-44162", "type": "cve", "cve": "CVE-2021-29561"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44091/f17", "id": "pyup.io-44091", "type": "cve", "cve": "CVE-2021-29548"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44078/f17", "id": "pyup.io-44078", "type": "cve", "cve": "CVE-2021-29568"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44131/f17", "id": "pyup.io-44131", "type": "cve", "cve": "CVE-2021-29607"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44123/f17", "id": "pyup.io-44123", "type": "cve", "cve": "CVE-2021-29599"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44150/f17", "id": "pyup.io-44150", "type": "cve", "cve": "CVE-2020-8284"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44109/f17", "id": "pyup.io-44109", "type": "cve", "cve": "CVE-2021-29590"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44064/f17", "id": "pyup.io-44064", "type": "cve", "cve": "CVE-2021-29524"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44165/f17", "id": "pyup.io-44165", "type": "cve", "cve": "CVE-2021-29575"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44138/f17", "id": "pyup.io-44138", "type": "cve", "cve": "CVE-2021-29615"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44103/f17", "id": "pyup.io-44103", "type": "cve", "cve": "CVE-2021-29582"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44141/f17", "id": "pyup.io-44141", "type": "cve", "cve": "CVE-2021-29553"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44116/f17", "id": "pyup.io-44116", "type": "cve", "cve": "CVE-2021-29527"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44146/f17", "id": "pyup.io-44146", "type": "cve", "cve": "CVE-2020-8177"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44168/f17", "id": "pyup.io-44168", "type": "cve", "cve": "CVE-2021-29574"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44093/f17", "id": "pyup.io-44093", "type": "cve", "cve": "CVE-2021-29538"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44147/f17", "id": "pyup.io-44147", "type": "cve", "cve": "CVE-2021-29555"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44099/f17", "id": "pyup.io-44099", "type": "cve", "cve": "CVE-2021-29580"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44102/f17", "id": "pyup.io-44102", "type": "cve", "cve": "CVE-2021-29581"}, {"specs": ["<2.0.0"], "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.", "transitive": true, "more_info_path": "/v/44087/f17", "id": "pyup.io-44087", "type": "cve", "cve": "CVE-2021-29589"}], "bento-lib": [{"specs": ["<6.0.1"], "advisory": "Bento-lib 6.0.1 updates its dependency 'redis' to v4.5.4 to include security fixes.", "transitive": true, "more_info_path": "/v/54854/f17", "id": "pyup.io-54854", "type": "cve", "cve": "CVE-2023-28859"}, {"specs": ["<3.0.1"], "advisory": "Bento-lib 3.0.1 includes security fix to prevent data leak in error messages from data structure queries by default and adds 'secure_errors' param for data structure querying methods.\r\nhttps://github.com/bento-platform/bento_lib/commit/991ee4fd406e3397435d1c8c02f1d0c48b9ec594\r\nhttps://github.com/bento-platform/bento_lib/commit/046a023abe8de0c3e13963a0c236df4f34ade244", "transitive": false, "more_info_path": "/v/41035/f17", "id": "pyup.io-41035", "type": "pve", "cve": "PVE-2021-41035"}, {"specs": ["<6.0.1"], "advisory": "Bento-lib 6.0.1 updates its dependency 'redis' to v4.5.4 to include security fixes.", "transitive": true, "more_info_path": "/v/54855/f17", "id": "pyup.io-54855", "type": "cve", "cve": "CVE-2023-28858"}], "keystone": [{"specs": [">0"], "advisory": "Keystone has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. \r\nNOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an OpenStack Security Advisory.\r\nhttps://bugs.launchpad.net/keystone/+bug/1795800", "transitive": false, "more_info_path": "/v/36734/f17", "id": "pyup.io-36734", "type": "cve", "cve": "CVE-2018-20170"}, {"specs": [">=2010,<2012.1.3"], "advisory": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.", "transitive": false, "more_info_path": "/v/35373/f17", "id": "pyup.io-35373", "type": "cve", "cve": "CVE-2012-4413"}, {"specs": ["<15.0.1", ">=16.0.0.0rc1,<=16.0.0"], "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.", "transitive": false, "more_info_path": "/v/38584/f17", "id": "pyup.io-38584", "type": "cve", "cve": "CVE-2020-12692"}, {"specs": ["<=21.0.0"], "advisory": "Keystone is affected by CVE-2022-2447: A flaw was found in OpenStack. The application credential tokens can be used even after they have expired. This flaw allows an authenticated remote attacker to obtain access despite the defender's efforts to remove access.\r\nhttps://access.redhat.com/security/cve/CVE-2022-2447\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2105419", "transitive": false, "more_info_path": "/v/50894/f17", "id": "pyup.io-50894", "type": "cve", "cve": "CVE-2022-2447"}, {"specs": ["==15.0.0", "==16.0.0"], "advisory": "OpenStack Keystone 15.0.0 and 16.0.0 are affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.) See: CVE-2019-19687.", "transitive": false, "more_info_path": "/v/37770/f17", "id": "pyup.io-37770", "type": "cve", "cve": "CVE-2019-19687"}, {"specs": ["<15.0.1", ">=16.0.0.0rc1,<=16.0.0"], "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.", "transitive": false, "more_info_path": "/v/38585/f17", "id": "pyup.io-38585", "type": "cve", "cve": "CVE-2020-12691"}, {"specs": [">=2013,<2014"], "advisory": "HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates. See: CVE-2013-2255.", "transitive": false, "more_info_path": "/v/38589/f17", "id": "pyup.io-38589", "type": "cve", "cve": "CVE-2013-2255"}, {"specs": [">=2010,<2012.2"], "advisory": "OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token.\r\nhttps://review.opendev.org/c/openstack/keystone/+/24906", "transitive": false, "more_info_path": "/v/35416/f17", "id": "pyup.io-35416", "type": "cve", "cve": "CVE-2013-1865"}, {"specs": [">=2012.2.0,<2013.1.4"], "advisory": "The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token.", "transitive": false, "more_info_path": "/v/35459/f17", "id": "pyup.io-35459", "type": "cve", "cve": "CVE-2013-4294"}, {"specs": [">=2010,<2012.1"], "advisory": "OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540.", "transitive": false, "more_info_path": "/v/35370/f17", "id": "pyup.io-35370", "type": "cve", "cve": "CVE-2012-3542"}, {"specs": [">=2010,<2012.1.2"], "advisory": "The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.", "transitive": false, "more_info_path": "/v/35374/f17", "id": "pyup.io-35374", "type": "cve", "cve": "CVE-2012-4456"}, {"specs": [">=2010,<2012.2"], "advisory": "OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.", "transitive": false, "more_info_path": "/v/35399/f17", "id": "pyup.io-35399", "type": "cve", "cve": "CVE-2012-5563"}, {"specs": [">=10.0.0.0rc1,<16.0.2", ">=17.0.0.0rc1,<17.0.1", ">=18.0.0.0rc1,<18.0.1", ">=19.0.0.0rc1,<19.0.1"], "advisory": "Keystone versions 16.0.2, 17.0.1, 18.0.1 and 19.0.1 include a fix for CVE-2021-38155: OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.\r\nhttps://security.openstack.org/ossa/OSSA-2021-003.html", "transitive": false, "more_info_path": "/v/45246/f17", "id": "pyup.io-45246", "type": "cve", "cve": "CVE-2021-38155"}, {"specs": ["<15.0.1", ">=16.0.0.0rc1,<=16.0.0"], "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.", "transitive": false, "more_info_path": "/v/38587/f17", "id": "pyup.io-38587", "type": "cve", "cve": "CVE-2020-12689"}, {"specs": ["<8.0.0"], "advisory": "In Keystone versions prior to 8.0.0, It is possible to remotely trigger a crash in Keystone by sending an extremely long password. When Keystone is validating the password, glibc allocates space on the stack for the entire password. If the password is long enough, stack space can be exhausted, resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonable limit on password length (4 kB). See also: CVE-2012-1572 and https://security.openstack.org/ossa/OSSA-2012-002.html.\r\nhttps://github.com/openstack/keystone/commit/239e4f64c2134338b32ffd6d42c0b6ff70cd040c", "transitive": false, "more_info_path": "/v/38586/f17", "id": "pyup.io-38586", "type": "cve", "cve": "CVE-2012-1572"}, {"specs": ["<15.0.1", ">=16.0.0.0rc1,<=16.0.0"], "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. See: CVE-2020-12690.", "transitive": false, "more_info_path": "/v/38583/f17", "id": "pyup.io-38583", "type": "cve", "cve": "CVE-2020-12690"}, {"specs": [">0"], "advisory": "Keystone is affected by CVE-2021-3563: Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity.\r\nhttps://bugs.launchpad.net/ossa/+bug/1901891", "transitive": false, "more_info_path": "/v/50789/f17", "id": "pyup.io-50789", "type": "cve", "cve": "CVE-2021-3563"}], "authbwc": [{"specs": ["<0.1.4"], "advisory": "Authbwc 0.1.4 fixes an issue with the way the HTTP session user permissions were loaded. This vulnerability made it possible for a user to gain the permissions of the user logged in previously. The user would have had to be sharing the same http session for this access to have been gained.", "transitive": false, "more_info_path": "/v/25631/f17", "id": "pyup.io-25631", "type": "pve", "cve": "PVE-2021-25631"}, {"specs": ["<0.3.1"], "advisory": "authbwc before 0.3.1 has a vulnerability in the password reset process that allowed users to log in when inactive.", "transitive": false, "more_info_path": "/v/34836/f17", "id": "pyup.io-34836", "type": "pve", "cve": "PVE-2021-34836"}], "ansible": [{"specs": ["<1.2.1"], "advisory": "Ansible 1.2.1 includes a fix for CVE-2013-2233: Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=980821", "transitive": false, "more_info_path": "/v/42921/f17", "id": "pyup.io-42921", "type": "cve", "cve": "CVE-2013-2233"}, {"specs": ["<1.9.2"], "advisory": "Ansible 1.9.2 includes a fix for CVE-2015-6240: The chroot, jail, and zone connection plugins in Ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1243468", "transitive": false, "more_info_path": "/v/42917/f17", "id": "pyup.io-42917", "type": "cve", "cve": "CVE-2015-6240"}, {"specs": ["<1.2.3"], "advisory": "Ansible 1.2.3 includes a fix for CVE-2013-4259: runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/.", "transitive": false, "more_info_path": "/v/42920/f17", "id": "pyup.io-42920", "type": "cve", "cve": "CVE-2013-4259"}, {"specs": ["<1.6.6"], "advisory": "Ansible 1.6.6 includes a fix for CVE-2014-3498: The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands.", "transitive": false, "more_info_path": "/v/25620/f17", "id": "pyup.io-25620", "type": "cve", "cve": "CVE-2014-3498"}, {"specs": [">=2.8.0a0,<2.8.4"], "advisory": "Ansible 2.8.4 includes a fix for CVE-2019-10217: A flaw was found in Ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all GCP modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running Ansible playbooks.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217", "transitive": false, "more_info_path": "/v/42885/f17", "id": "pyup.io-42885", "type": "cve", "cve": "CVE-2019-10217"}, {"specs": ["<3.0.0"], "advisory": "Ansible 3.0.0 includes a fix for CVE-2021-3533: A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw also affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1956477", "transitive": false, "more_info_path": "/v/42926/f17", "id": "pyup.io-42926", "type": "cve", "cve": "CVE-2021-3533"}, {"specs": [">=0,<2.4.6.0", ">=2.5,<2.5.6", ">=2.6,<2.6.1"], "advisory": "In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.", "transitive": false, "more_info_path": "/v/53995/f17", "id": "pyup.io-53995", "type": "cve", "cve": "CVE-2018-10874"}, {"specs": ["<1.5.5"], "advisory": "Ansible 1.5.5 includes a fix for CVE-2014-4658: The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file.", "transitive": false, "more_info_path": "/v/25618/f17", "id": "pyup.io-25618", "type": "cve", "cve": "CVE-2014-4658"}, {"specs": ["<2.1.4.0", ">2.1.4.0,<2.2.1.0"], "advisory": "Ansible versions 2.1.4 and 2.2.1 include a fix for CVE-2016-9587: Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.\r\nhttps://www.exploit-db.com/exploits/41013/", "transitive": false, "more_info_path": "/v/33285/f17", "id": "pyup.io-33285", "type": "cve", "cve": "CVE-2016-9587"}, {"specs": [">=2.7.0a0,<2.7.17", ">=2.8.0a0,<2.8.9", ">=2.9.0a0,<2.9.6"], "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-10684: A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684", "transitive": false, "more_info_path": "/v/42864/f17", "id": "pyup.io-42864", "type": "cve", "cve": "CVE-2020-10684"}, {"specs": [">=2.7.0a0,<2.7.17", ">=2.8.0a0,<2.8.9", ">=2.9.0a0,<2.9.6"], "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1736: A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1736", "transitive": false, "more_info_path": "/v/42875/f17", "id": "pyup.io-42875", "type": "cve", "cve": "CVE-2020-1736"}, {"specs": [">=0,<2.6.20", ">=2.7.0,<2.7.14", ">=2.8.0,<2.8.6"], "advisory": "In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.", "transitive": false, "more_info_path": "/v/54288/f17", "id": "pyup.io-54288", "type": "cve", "cve": "CVE-2019-14846"}, {"specs": [">=2.5.0,<2.5.5", ">=2.4.0,<2.4.5"], "advisory": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.", "transitive": false, "more_info_path": "/v/54290/f17", "id": "pyup.io-54290", "type": "cve", "cve": "CVE-2018-10855"}, {"specs": ["<1.8.3"], "advisory": "ansible 1.8.3 fixes a security bug related to the default permissions set on a temporary file created when using \"ansible-vault view <filename>\".", "transitive": false, "more_info_path": "/v/25624/f17", "id": "pyup.io-25624", "type": "pve", "cve": "PVE-2021-25624"}, {"specs": ["<1.6.7"], "advisory": "Ansible before 1.6.7 does not prevent inventory data with \"{{\" and \"lookup\" substrings, and does not prevent remote data with \"{{\" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.", "transitive": false, "more_info_path": "/v/42334/f17", "id": "pyup.io-42334", "type": "cve", "cve": "CVE-2014-4966"}, {"specs": [">=2.5.0a0,<2.5.14", ">=2.6.0a0,<2.6.11", ">=2.7.0a0,<2.7.5"], "advisory": "Ansible 2.5.14, 2.6.11 and 2.7.5 include a fix for CVE-2018-16876: Ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16876", "transitive": false, "more_info_path": "/v/42889/f17", "id": "pyup.io-42889", "type": "cve", "cve": "CVE-2018-16876"}, {"specs": ["<1.9.2"], "advisory": "Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", "transitive": false, "more_info_path": "/v/25625/f17", "id": "pyup.io-25625", "type": "cve", "cve": "CVE-2015-3908"}, {"specs": ["<1.2.3"], "advisory": "Ansible 1.2.3 includes local security fixes for predictable file locations for ControlPersist and retry file paths on shared machines on operating systems without kernel symlink/hardlink protections. See CVE-2013-4260.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=998227", "transitive": false, "more_info_path": "/v/25616/f17", "id": "pyup.io-25616", "type": "cve", "cve": "CVE-2013-4260"}, {"specs": [">=2.9.0,<2.9.7"], "advisory": "An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.", "transitive": false, "more_info_path": "/v/54172/f17", "id": "pyup.io-54172", "type": "cve", "cve": "CVE-2020-10691"}, {"specs": [">=0,<2.8.15", ">=2.9.0,<2.9.13"], "advisory": "A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.", "transitive": false, "more_info_path": "/v/54224/f17", "id": "pyup.io-54224", "type": "cve", "cve": "CVE-2020-14365"}, {"specs": [">=0,<2.9.27"], "advisory": "Ansible is an IT automation system that handles configuration management, application deployment, cloud provisioning, ad-hoc task execution, network automation, and multi-node orchestration. A flaw was found in Ansible Engine's ansible-connection module where sensitive information, such as the Ansible user credentials, is disclosed by default in the traceback error message when Ansible receives an unexpected response from `set_options`. The highest threat from this vulnerability is confidentiality.", "transitive": false, "more_info_path": "/v/54421/f17", "id": "pyup.io-54421", "type": "cve", "cve": "CVE-2021-3620"}, {"specs": [">=2.0.0.0,<2.0.2", "<1.9.6"], "advisory": "Ansible 1.9.6 and 2.0.2 include a fix for CVE-2016-3096: The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.", "transitive": false, "more_info_path": "/v/25627/f17", "id": "pyup.io-25627", "type": "cve", "cve": "CVE-2016-3096"}, {"specs": [">=2.8.0a0,<2.8.8", ">=2.9.0a0,<2.9.3", "<2.7.16"], "advisory": "Ansible versions 2.7.16, 2.8.8 and 2.9.3 include a fix for CVE-2019-14904: A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1776944", "transitive": false, "more_info_path": "/v/42881/f17", "id": "pyup.io-42881", "type": "cve", "cve": "CVE-2019-14904"}, {"specs": [">=2.7.0,<2.7.16", ">=2.8.0,<2.8.8", ">=2.9.0,<2.9.3"], "advisory": "A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.", "transitive": false, "more_info_path": "/v/54155/f17", "id": "pyup.io-54155", "type": "cve", "cve": "CVE-2019-14905"}, {"specs": ["<1.6.4"], "advisory": "Ansible 1.6.4 includes a fix for CVE-2014-4678: The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657.", "transitive": false, "more_info_path": "/v/25619/f17", "id": "pyup.io-25619", "type": "cve", "cve": "CVE-2014-4678"}, {"specs": [">=2.8.0a0,<2.8.2", ">=2.7.0a0,<2.7.12", ">=2.6.0a0,<2.6.18"], "advisory": "Ansible 2.6.18, 2.7.12 and 2.8.2 include a fix for CVE-2019-10156: A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156", "transitive": false, "more_info_path": "/v/42887/f17", "id": "pyup.io-42887", "type": "cve", "cve": "CVE-2019-10156"}, {"specs": [">=2.0,<2.8.1"], "advisory": "A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.", "transitive": false, "more_info_path": "/v/54153/f17", "id": "pyup.io-54153", "type": "cve", "cve": "CVE-2019-14858"}, {"specs": [">=2.7,<2.7.1", ">=2.6,<2.6.7", ">=0,<2.5.11"], "advisory": "Ansible \"User\" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.", "transitive": false, "more_info_path": "/v/54010/f17", "id": "pyup.io-54010", "type": "cve", "cve": "CVE-2018-16837"}, {"specs": [">=2.10.0,<2.10.7", ">=2.9.0,<2.9.18", ">=0,<2.8.19"], "advisory": "A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability is to confidentiality.", "transitive": false, "more_info_path": "/v/54286/f17", "id": "pyup.io-54286", "type": "cve", "cve": "CVE-2021-20228"}, {"specs": [">=0,<2.8.14", ">=2.9.0,<2.9.12"], "advisory": "A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.", "transitive": false, "more_info_path": "/v/54226/f17", "id": "pyup.io-54226", "type": "cve", "cve": "CVE-2020-14332"}, {"specs": [">=0"], "advisory": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability.", "transitive": false, "more_info_path": "/v/54229/f17", "id": "pyup.io-54229", "type": "cve", "cve": "CVE-2020-25636"}, {"specs": [">=0"], "advisory": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality.", "transitive": false, "more_info_path": "/v/54230/f17", "id": "pyup.io-54230", "type": "cve", "cve": "CVE-2020-25635"}, {"specs": ["<1.5.4"], "advisory": "Ansible 1.5.4 includes a fix for CVE-2014-4657: The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions.", "transitive": false, "more_info_path": "/v/25617/f17", "id": "pyup.io-25617", "type": "cve", "cve": "CVE-2014-4657"}, {"specs": ["<2.2.0"], "advisory": "Ansible 2.2.0 includes a fix for CVE-2016-8614: A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing a remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614", "transitive": false, "more_info_path": "/v/42916/f17", "id": "pyup.io-42916", "type": "cve", "cve": "CVE-2016-8614"}, {"specs": [">=2.7.0a0,<2.7.17", ">=2.8.0a0,<2.8.9", ">=2.9.0a0,<2.9.6"], "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1738: A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738", "transitive": false, "more_info_path": "/v/42873/f17", "id": "pyup.io-42873", "type": "cve", "cve": "CVE-2020-1738"}, {"specs": ["<2.9.23"], "advisory": "Ansible 2.9.23 includes a fix for CVE-2021-3583: A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1968412", "transitive": false, "more_info_path": "/v/42924/f17", "id": "pyup.io-42924", "type": "cve", "cve": "CVE-2021-3583"}, {"specs": ["<2.2.0"], "advisory": "Ansible 2.2.0 includes a fix for CVE-2016-8628: Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628", "transitive": false, "more_info_path": "/v/42915/f17", "id": "pyup.io-42915", "type": "cve", "cve": "CVE-2016-8628"}, {"specs": ["<2.3"], "advisory": "Ansible 2.3 includes a fix for CVE-2017-7466: Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466", "transitive": false, "more_info_path": "/v/42890/f17", "id": "pyup.io-42890", "type": "cve", "cve": "CVE-2017-7466"}, {"specs": [">=0,<2.7.17"], "advisory": "A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts.", "transitive": false, "more_info_path": "/v/54189/f17", "id": "pyup.io-54189", "type": "cve", "cve": "CVE-2020-1734"}, {"specs": [">=0,<2.7.17", ">=2.8.0,<2.8.9", ">=2.9.0,<2.9.6"], "advisory": "A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal. This issue is fixed in 2.10.", "transitive": false, "more_info_path": "/v/54191/f17", "id": "pyup.io-54191", "type": "cve", "cve": "CVE-2020-1737"}, {"specs": ["<1.7"], "advisory": "Ansible 1.7.0 avoids templating raw lookup strings.\r\nhttps://github.com/ansible/ansible/commit/650e967b30f26c285441fb848a408044c51ad622", "transitive": false, "more_info_path": "/v/45329/f17", "id": "pyup.io-45329", "type": "pve", "cve": "PVE-2022-45329"}, {"specs": [">=2.7.0,<2.7.4", ">=2.7.5,<2.8.1", ">=0,<2.5.13", ">=2.6.0,<2.6.10"], "advisory": "Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.", "transitive": false, "more_info_path": "/v/54011/f17", "id": "pyup.io-54011", "type": "cve", "cve": "CVE-2018-16859"}, {"specs": [">=2.7.0a0,<2.7.17", ">=2.8.0a0,<2.8.9", ">=2.9.0a0,<2.9.6"], "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1739: A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior. When a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739", "transitive": false, "more_info_path": "/v/42871/f17", "id": "pyup.io-42871", "type": "cve", "cve": "CVE-2020-1739"}, {"specs": [">=2.8.0a1,<2.8.19", ">=2.9.0b1,<2.9.18"], "advisory": "A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.", "transitive": false, "more_info_path": "/v/54426/f17", "id": "pyup.io-54426", "type": "cve", "cve": "CVE-2021-20180"}, {"specs": [">=2.8.0a0,<2.8.4", ">=2.7.0a0,<2.7.13", ">=2.6.0a0,<2.6.19"], "advisory": "Ansible 2.6.19, 2.7.13 and 2.8.4 include a fix for CVE-2019-10206: Ansible-playbook -k and Ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10206", "transitive": false, "more_info_path": "/v/42886/f17", "id": "pyup.io-42886", "type": "cve", "cve": "CVE-2019-10206"}, {"specs": [">=0,<2.10.0"], "advisory": "An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.", "transitive": false, "more_info_path": "/v/54219/f17", "id": "pyup.io-54219", "type": "cve", "cve": "CVE-2020-14330"}, {"specs": [">=2.7.0a0,<2.7.18", ">=2.8.0a0,<2.8.12", ">=2.9.0a0,<2.9.9"], "advisory": "Ansible versions 2.7.18, 2.8.12 and 2.9.9 include a fix for CVE-2020-10744: The provided fix for CVE-2020-1733 was insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 and previous versions are affected. Also Ansible Tower 3.4.5, 3.5.6 and 3.6.4 and previous versions.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10744", "transitive": false, "more_info_path": "/v/42862/f17", "id": "pyup.io-42862", "type": "cve", "cve": "CVE-2020-10744"}, {"specs": [">=0,<2.2.1.0"], "advisory": "An input validation vulnerability was found in Ansible's mysql_user module before 2.2.1.0, which may fail to correctly change a password in certain circumstances. Thus the previous password would still be active when it should have been changed.", "transitive": false, "more_info_path": "/v/54118/f17", "id": "pyup.io-54118", "type": "cve", "cve": "CVE-2016-8647"}, {"specs": ["<1.5.5"], "advisory": "Ansible 1.5.5 includes a fix for CVE-2014-4659: Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the \"deb http://user:pass@server:port/\" format.", "transitive": false, "more_info_path": "/v/42854/f17", "id": "pyup.io-42854", "type": "cve", "cve": "CVE-2014-4659"}, {"specs": ["<2.3.1"], "advisory": "Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. See: CVE-2017-7481.", "transitive": false, "more_info_path": "/v/34941/f17", "id": "pyup.io-34941", "type": "cve", "cve": "CVE-2017-7481"}, {"specs": [">=2.5.0a0,<2.5.15", ">=2.6.0a0,<2.6.14", ">=2.7.0a0,<2.7.8"], "advisory": "Ansible 2.5.15, 2.6.14 and 2.7.8 include a fix for CVE-2019-3828: Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local Ansible controller host by not restricting an absolute path.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3828", "transitive": false, "more_info_path": "/v/42888/f17", "id": "pyup.io-42888", "type": "cve", "cve": "CVE-2019-3828"}, {"specs": ["<1.5.4"], "advisory": "Ansible 1.5.4 includes a fix for CVE-2014-2686: Ansible prior to 1.5.4 mishandles the evaluation of some strings.\r\nhttps://groups.google.com/forum/#!searchin/ansible-project/1.5.4/ansible-project/MUQxiKwSQDc/id6aVaawVboJ", "transitive": false, "more_info_path": "/v/42919/f17", "id": "pyup.io-42919", "type": "cve", "cve": "CVE-2014-2686"}, {"specs": [">=2.7.0a0,<2.7.17", ">=2.8.0a0,<2.8.9", ">=2.9.0a0,<2.9.6"], "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1740: A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes \"ansible-vault edit\", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740", "transitive": false, "more_info_path": "/v/42869/f17", "id": "pyup.io-42869", "type": "cve", "cve": "CVE-2020-1740"}, {"specs": ["<1.7"], "advisory": "Ansible 1.7.0 adds path checking for relative/escaped tar filenames in the ansible-galaxy command.\r\nhttps://github.com/ansible/ansible/commit/92382c41810a4496e7f894696da645fe5151c232", "transitive": false, "more_info_path": "/v/25622/f17", "id": "pyup.io-25622", "type": "pve", "cve": "PVE-2021-25622"}, {"specs": [">=2.6.0a0,<2.6.20", ">=2.7.0a0,<2.7.14", ">=2.8.0a0,<2.8.6"], "advisory": "Ansible versions 2.6.20, 2.7.14 and 2.8.6 include a fix for CVE-2019-14856: The fix for CVE-2019-10206 was found to be incomplete for the data disclosure flaw in Ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with special characters is exposed starting with the first of these special characters. The highest threat from this vulnerability is to data confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856", "transitive": false, "more_info_path": "/v/42884/f17", "id": "pyup.io-42884", "type": "cve", "cve": "CVE-2019-14856"}, {"specs": [">=0,<2.7.18", ">=2.8.0,<2.8.11", ">=2.9.0,<2.9.7"], "advisory": "A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.", "transitive": false, "more_info_path": "/v/54240/f17", "id": "pyup.io-54240", "type": "cve", "cve": "CVE-2020-1753"}, {"specs": [">=2.7.0a0,<2.7.17", ">=2.8.0a0,<2.8.11", ">=2.9.0a0,<2.9.7"], "advisory": "Ansible versions 2.7.17, 2.8.11 and 2.9.7 include a fix for CVE-2020-1733: A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 && mkdir -p <dir>\"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/<pid>/cmdline'.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733", "transitive": false, "more_info_path": "/v/42879/f17", "id": "pyup.io-42879", "type": "cve", "cve": "CVE-2020-1733"}, {"specs": [">=2.7.0,<2.7.17", ">=2.8.0,<2.8.11", ">=2.9.0,<2.9.7"], "advisory": "A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp emains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted ble.", "transitive": false, "more_info_path": "/v/54331/f17", "id": "pyup.io-54331", "type": "cve", "cve": "CVE-2020-10685"}, {"specs": [">=0,<2.7.17", ">=2.8.0,<2.8.11", ">=2.9.0,<2.9.7"], "advisory": "A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.", "transitive": false, "more_info_path": "/v/54284/f17", "id": "pyup.io-54284", "type": "cve", "cve": "CVE-2020-1746"}, {"specs": ["<1.2.2"], "advisory": "Ansible 1.2.2 includes a fix for CVE-2021-3447: A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker could take advantage of this information to steal those credentials, provided it had access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1939349", "transitive": false, "more_info_path": "/v/42860/f17", "id": "pyup.io-42860", "type": "cve", "cve": "CVE-2021-3447"}, {"specs": ["<2.8.19", ">=2.9.0b1,<2.9.18", ">=2.10.0a1,<2.10.7"], "advisory": "Ansible 2.8.19, 2.9.18 and 2.10.7 include a fix for CVE-2021-20191: Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1916813", "transitive": false, "more_info_path": "/v/42856/f17", "id": "pyup.io-42856", "type": "cve", "cve": "CVE-2021-20191"}, {"specs": ["<1.7.1"], "advisory": "ansible 1.7.1 contains a security fix to disallow specifying 'args:' as a string, which could allow the insertion of extra module parameters through variables.", "transitive": false, "more_info_path": "/v/25623/f17", "id": "pyup.io-25623", "type": "pve", "cve": "PVE-2021-25623"}, {"specs": ["<2.9.18"], "advisory": "Ansible 2.9.18 includes a fix for CVE-2021-20178: A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1914774", "transitive": false, "more_info_path": "/v/42858/f17", "id": "pyup.io-42858", "type": "cve", "cve": "CVE-2021-20178"}, {"specs": ["<1.6.7"], "advisory": "ansible 1.6.7 contains two security fixes:\r\n * Strip lookup calls out of inventory variables and clean unsafe data\r\n returned from lookup plugins (CVE-2014-4966)\r\n * Make sure vars don't insert extra parameters into module args and prevent\r\n duplicate params from superseding previous params (CVE-2014-4967)", "transitive": false, "more_info_path": "/v/25621/f17", "id": "pyup.io-25621", "type": "cve", "cve": "CVE-2014-4967"}, {"specs": [">=2.3.0,<2.3.3", ">=2.4.0,<2.4.1"], "advisory": "Ansible 2.3.3 and 2.4.1 include a fix for CVE-2017-7550: A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the \"params\" argument, and noting this in the module documentation.\r\nhttps://github.com/ansible/ansible/issues/30874\r\nhttps://access.redhat.com/errata/RHSA-2017:2966", "transitive": false, "more_info_path": "/v/42853/f17", "id": "pyup.io-42853", "type": "cve", "cve": "CVE-2017-7550"}, {"specs": [">=2.7.0a0,<2.7.17", ">=2.8.0a0,<2.8.9", ">=2.9.0a0,<2.9.6"], "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1735: A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735", "transitive": false, "more_info_path": "/v/42877/f17", "id": "pyup.io-42877", "type": "cve", "cve": "CVE-2020-1735"}, {"specs": [">=2.7.0a0,<2.7.15", ">=2.8.0a0,<2.8.7", ">=2.9.0a0,<2.9.1"], "advisory": "Ansible versions 2.7.15, 2.8.7 and 2.9.1 include a fix for CVE-2019-14864: Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, are not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used to send tasks results events to collectors. This would disclose and collect any sensitive data.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864", "transitive": false, "more_info_path": "/v/42882/f17", "id": "pyup.io-42882", "type": "cve", "cve": "CVE-2019-14864"}, {"specs": ["<1.5.5"], "advisory": "Ansible 1.5.5 includes a fix for CVE-2014-4660: Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the \"deb http://user:pass@server:port/\" format.\r\nhttps://www.openwall.com/lists/oss-security/2014/06/26/19", "transitive": false, "more_info_path": "/v/42918/f17", "id": "pyup.io-42918", "type": "cve", "cve": "CVE-2014-4660"}, {"specs": [">=0,<2.9.6"], "advisory": "A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.", "transitive": false, "more_info_path": "/v/54283/f17", "id": "pyup.io-54283", "type": "cve", "cve": "CVE-2020-10729"}, {"specs": [">=2.5,<2.5.6", ">=2.4,<2.4.6.0", ">=2.6,<2.6.1"], "advisory": "A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.", "transitive": false, "more_info_path": "/v/54289/f17", "id": "pyup.io-54289", "type": "cve", "cve": "CVE-2018-10875"}, {"specs": [">=2.5.0,<7.0.0"], "advisory": "A flaw was found in Ansible in the amazon.aws collection when using the `tower_callback` parameter from the `amazon.aws.ec2_instance` module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.", "transitive": false, "more_info_path": "/v/54564/f17", "id": "pyup.io-54564", "type": "cve", "cve": "CVE-2022-3697"}, {"specs": [">0"], "advisory": "A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1956464", "transitive": false, "more_info_path": "/v/42923/f17", "id": "pyup.io-42923", "type": "cve", "cve": "CVE-2021-3532"}], "kako": [{"specs": ["<1.1.0"], "advisory": "Kako 1.1.0 updates its dependency 'requests' to v2.22.0 to include a security fix.", "transitive": true, "more_info_path": "/v/54901/f17", "id": "pyup.io-54901", "type": "cve", "cve": "CVE-2018-18074"}, {"specs": ["<1.1.0"], "advisory": "Kako 1.1.0 updates its dependency 'pyyaml' to v5.1.2 to include a security fix.", "transitive": true, "more_info_path": "/v/38720/f17", "id": "pyup.io-38720", "type": "cve", "cve": "CVE-2017-18342"}], "mmocr": [{"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50509/f17", "id": "pyup.io-50509", "type": "cve", "cve": "CVE-2019-5064"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50513/f17", "id": "pyup.io-50513", "type": "cve", "cve": "CVE-2017-12600"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50503/f17", "id": "pyup.io-50503", "type": "cve", "cve": "CVE-2019-14492"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50456/f17", "id": "pyup.io-50456", "type": "cve", "cve": "CVE-2019-14491"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50505/f17", "id": "pyup.io-50505", "type": "cve", "cve": "CVE-2019-15939"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50507/f17", "id": "pyup.io-50507", "type": "cve", "cve": "CVE-2019-19624"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50508/f17", "id": "pyup.io-50508", "type": "cve", "cve": "CVE-2019-5063"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50512/f17", "id": "pyup.io-50512", "type": "cve", "cve": "CVE-2017-12599"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50519/f17", "id": "pyup.io-50519", "type": "cve", "cve": "CVE-2017-12606"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50520/f17", "id": "pyup.io-50520", "type": "cve", "cve": "CVE-2016-1517"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50514/f17", "id": "pyup.io-50514", "type": "cve", "cve": "CVE-2017-12601"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50516/f17", "id": "pyup.io-50516", "type": "cve", "cve": "CVE-2017-12603"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50504/f17", "id": "pyup.io-50504", "type": "cve", "cve": "CVE-2019-16249"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50517/f17", "id": "pyup.io-50517", "type": "cve", "cve": "CVE-2017-12604"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50511/f17", "id": "pyup.io-50511", "type": "cve", "cve": "CVE-2017-12598"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50515/f17", "id": "pyup.io-50515", "type": "cve", "cve": "CVE-2017-12602"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50518/f17", "id": "pyup.io-50518", "type": "cve", "cve": "CVE-2017-12605"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50510/f17", "id": "pyup.io-50510", "type": "cve", "cve": "CVE-2017-12597"}, {"specs": ["<0.6.1"], "advisory": "Mmocr 0.6.1 restricts the minimum version of its requirement 'opencv-python' to '>=4.2.0.32' to include security fixes.", "transitive": true, "more_info_path": "/v/50506/f17", "id": "pyup.io-50506", "type": "cve", "cve": "CVE-2019-9423"}], "bise-theme": [{"specs": ["<2.4"], "advisory": "bise.theme 2.4 fixes a potential XSS issue with catalogue search.", "transitive": false, "more_info_path": "/v/25639/f17", "id": "pyup.io-25639", "type": "pve", "cve": "PVE-2021-25639"}], "codalab": [{"specs": ["<0.2.33"], "advisory": "codalab before 0.2.33 was using a version of gunicorn that had security vulnerabilities.", "transitive": false, "more_info_path": "/v/36386/f17", "id": "pyup.io-36386", "type": "pve", "cve": "PVE-2021-36386"}, {"specs": ["<0.5.33"], "advisory": "Codalab 0.5.33 includes a fix for some front-end vulnerabilities (with `npm audit fix`).", "transitive": false, "more_info_path": "/v/39434/f17", "id": "pyup.io-39434", "type": "pve", "cve": "PVE-2021-39434"}, {"specs": ["<0.5.12"], "advisory": "Codalab 0.5.12 fixes a vulnerability. No description of the vulnerability was included.", "transitive": false, "more_info_path": "/v/38927/f17", "id": "pyup.io-38927", "type": "pve", "cve": "PVE-2021-38927"}], "testinfra-bdd": [{"specs": ["<2.2.4"], "advisory": "Testinfra-bdd 2.2.4 updates its dependency 'GitPython' to v3.1.30 to include a security fix.", "transitive": true, "more_info_path": "/v/52602/f17", "id": "pyup.io-52602", "type": "cve", "cve": "CVE-2022-24439"}, {"specs": ["<2.2.4"], "advisory": "Testinfra-bdd 2.2.4 pins its dependency 'setuptools' to versions '>=65.5.1' to include a security fix.", "transitive": true, "more_info_path": "/v/52656/f17", "id": "pyup.io-52656", "type": "cve", "cve": "CVE-2022-40897"}], "pdfcropmargins": [{"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49525/f17", "id": "pyup.io-49525", "type": "cve", "cve": "CVE-2021-27923"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49507/f17", "id": "pyup.io-49507", "type": "cve", "cve": "CVE-2022-22815"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49518/f17", "id": "pyup.io-49518", "type": "cve", "cve": "CVE-2021-25293"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49442/f17", "id": "pyup.io-49442", "type": "cve", "cve": "CVE-2021-27922"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49510/f17", "id": "pyup.io-49510", "type": "cve", "cve": "CVE-2021-28677"}, {"specs": ["<1.1.1"], "advisory": "Pdfcropmargins 1.1.1 updates its dependency 'pillow' requirement to \">=9.3.0\" to include security fixes.", "transitive": true, "more_info_path": "/v/52359/f17", "id": "pyup.io-52359", "type": "cve", "cve": "CVE-2022-45198"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49511/f17", "id": "pyup.io-49511", "type": "cve", "cve": "CVE-2021-28676"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49506/f17", "id": "pyup.io-49506", "type": "cve", "cve": "CVE-2022-22816"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49514/f17", "id": "pyup.io-49514", "type": "cve", "cve": "CVE-2021-25289"}, {"specs": ["<1.1.1"], "advisory": "Pdfcropmargins 1.1.1 updates its dependency 'pillow' requirement to \">=9.3.0\" to include security fixes.", "transitive": true, "more_info_path": "/v/52361/f17", "id": "pyup.io-52361", "type": "cve", "cve": "CVE-2022-24303"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49513/f17", "id": "pyup.io-49513", "type": "cve", "cve": "CVE-2021-25288"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49524/f17", "id": "pyup.io-49524", "type": "cve", "cve": "CVE-2021-23437"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49519/f17", "id": "pyup.io-49519", "type": "cve", "cve": "CVE-2021-27921"}, {"specs": ["<1.1.1"], "advisory": "Pdfcropmargins 1.1.1 updates its dependency 'pillow' requirement to \">=9.3.0\" to include security fixes.", "transitive": true, "more_info_path": "/v/52360/f17", "id": "pyup.io-52360", "type": "cve", "cve": "CVE-2022-30595"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49515/f17", "id": "pyup.io-49515", "type": "cve", "cve": "CVE-2021-25290"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49521/f17", "id": "pyup.io-49521", "type": "cve", "cve": "CVE-2020-35654"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49508/f17", "id": "pyup.io-49508", "type": "cve", "cve": "CVE-2021-34552"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49522/f17", "id": "pyup.io-49522", "type": "cve", "cve": "CVE-2020-35655"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 pins its dependency 'PyPDF2' to versions \">=1.27.5\" to include a security fix.", "transitive": true, "more_info_path": "/v/49526/f17", "id": "pyup.io-49526", "type": "cve", "cve": "CVE-2022-24859"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49517/f17", "id": "pyup.io-49517", "type": "cve", "cve": "CVE-2021-25292"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49520/f17", "id": "pyup.io-49520", "type": "cve", "cve": "CVE-2020-35653"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49509/f17", "id": "pyup.io-49509", "type": "cve", "cve": "CVE-2021-28678"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49512/f17", "id": "pyup.io-49512", "type": "cve", "cve": "CVE-2021-25287"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49516/f17", "id": "pyup.io-49516", "type": "cve", "cve": "CVE-2021-25291"}, {"specs": ["<1.0.6"], "advisory": "Pdfcropmargins 1.0.6 updates its dependency 'pillow' requirement to '>=9.0.0' to include security fixes.", "transitive": true, "more_info_path": "/v/49523/f17", "id": "pyup.io-49523", "type": "cve", "cve": "CVE-2020-15999"}], "cherrymusic": [{"specs": ["<0.36.0"], "advisory": "Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the \"value\" parameter to \"download.\"", "transitive": false, "more_info_path": "/v/25650/f17", "id": "pyup.io-25650", "type": "cve", "cve": "CVE-2015-8309"}, {"specs": ["<0.36.0"], "advisory": "Cross-site scripting (XSS) vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to inject arbitrary web script or HTML via the playlistname field when creating a new playlist.", "transitive": false, "more_info_path": "/v/42242/f17", "id": "pyup.io-42242", "type": "cve", "cve": "CVE-2015-8310"}], "pyttman": [{"specs": ["<1.1.7"], "advisory": "Pyttman version 1.1.7 makes clients to not start in parallel when using Threading due to issues with security and runtime on unix and linux based systems.", "transitive": false, "more_info_path": "/v/41969/f17", "id": "pyup.io-41969", "type": "pve", "cve": "PVE-2021-41969"}], "collective-contact-core": [{"specs": ["<1.10"], "advisory": "Collective.contact.core 1.10 fixes a security issue related to AddContact. The vulnerability was found in its dependency Plone CMS. See CVE-2016-7138.\r\nhttps://github.com/collective/collective.contact.core/pull/25", "transitive": false, "more_info_path": "/v/25657/f17", "id": "pyup.io-25657", "type": "cve", "cve": "CVE-2016-7138"}, {"specs": ["<1.10"], "advisory": "collective-contact-core before 1.10", "transitive": false, "more_info_path": "/v/36089/f17", "id": "pyup.io-36089", "type": "pve", "cve": "PVE-2021-36089"}], "zope2": [{"specs": ["<=2.11.2"], "advisory": "PythonScripts in Zope2 2.11.2 and earlier, as used in Conga and other products, allows remote authenticated users to cause a denial of service (resource consumption or application halt) via certain (1) raise or (2) import statements.", "transitive": false, "more_info_path": "/v/54896/f17", "id": "pyup.io-54896", "type": "cve", "cve": "CVE-2008-5102"}, {"specs": [">=2.11.0a1,<2.11.7", ">=2.10.0a1,<2.10.12"], "advisory": "ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote attackers to cause a denial of service (crash of worker threads) via vectors that trigger uncaught exceptions.", "transitive": false, "more_info_path": "/v/26191/f17", "id": "pyup.io-26191", "type": "cve", "cve": "CVE-2010-3198"}, {"specs": ["<2.12.19", ">=2.13,<2.13.8"], "advisory": "Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and (2) PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a \"highly serious vulnerability.\" NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-0720.", "transitive": false, "more_info_path": "/v/26192/f17", "id": "pyup.io-26192", "type": "cve", "cve": "CVE-2011-2528"}, {"specs": ["<2.13.11", "<2.12.21"], "advisory": "The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 2.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.", "transitive": false, "more_info_path": "/v/26193/f17", "id": "pyup.io-26193", "type": "cve", "cve": "CVE-2012-5489"}, {"specs": [">=2.12.0a1,<2.12.21", ">=2.13.0a1,<2.13.11"], "advisory": "Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.", "transitive": false, "more_info_path": "/v/26196/f17", "id": "pyup.io-26196", "type": "cve", "cve": "CVE-2011-3587"}, {"specs": [">=2.12,<2.12.3", ">=2.10,<2.10.11", ">=2.8,<2.8.12", ">=2.9,<2.9.12"], "advisory": "Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3 allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.", "transitive": false, "more_info_path": "/v/26197/f17", "id": "pyup.io-26197", "type": "cve", "cve": "CVE-2010-1104"}, {"specs": ["<2.13.19"], "advisory": "AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.", "transitive": false, "more_info_path": "/v/33169/f17", "id": "pyup.io-33169", "type": "cve", "cve": "CVE-2012-5507"}, {"specs": ["<2.13.19"], "advisory": "ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.", "transitive": false, "more_info_path": "/v/33168/f17", "id": "pyup.io-33168", "type": "cve", "cve": "CVE-2012-5486"}, {"specs": ["<2.8.11", ">=2.9a1,<2.9.11", ">=2.10a1,<2.10.9", ">=2.11a1,<2.11.4"], "advisory": "Zope2 2.11.4, 2.10.9, 2.9.11 and 2.8.11 include a fix for CVE-2009-0669: Zope Object Database (ZODB) before 3.8.2, when certain Zope Enterprise Objects (ZEO) database sharing is enabled, allows remote attackers to bypass authentication via vectors involving the ZEO network protocol.\r\nhttps://mail.zope.dev/pipermail/zope-announce/2009-August/002220.html", "transitive": false, "more_info_path": "/v/53308/f17", "id": "pyup.io-53308", "type": "cve", "cve": "CVE-2009-0669"}, {"specs": ["<2.7.0", ">=2.8a1,<2.8.7", ">=2.9a1,<2.9.3"], "advisory": "Zope2 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 (Zope2) does not disable the \"raw\" command when providing untrusted users with restructured text (reStructuredText) functionality from docutils, which allows local users to read arbitrary files.", "transitive": false, "more_info_path": "/v/53309/f17", "id": "pyup.io-53309", "type": "cve", "cve": "CVE-2006-3458"}], "aiolifx-themes": [{"specs": ["<0.4.1"], "advisory": "Aiolifx-themes 0.4.1 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", "transitive": true, "more_info_path": "/v/52569/f17", "id": "pyup.io-52569", "type": "cve", "cve": "CVE-2022-40897"}], "vpype": [{"specs": ["<1.8.1"], "advisory": "Vpype 1.8.1 updates 'Pillow' to v9.0.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44521/f17", "id": "pyup.io-44521", "type": "cve", "cve": "CVE-2022-22815"}, {"specs": ["<1.8.1"], "advisory": "Vpype 1.8.1 updates 'Pillow' to v9.0.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44523/f17", "id": "pyup.io-44523", "type": "cve", "cve": "CVE-2022-22817"}, {"specs": ["<1.8.1"], "advisory": "Vpype 1.8.1 updates 'Pillow' to v9.0.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44527/f17", "id": "pyup.io-44527", "type": "pve", "cve": "PVE-2022-44524"}, {"specs": ["<1.8.1"], "advisory": "Vpype 1.8.1 updates 'Pillow' to v9.0.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44526/f17", "id": "pyup.io-44526", "type": "pve", "cve": "PVE-2021-44525"}, {"specs": ["<1.8.1"], "advisory": "Vpype 1.8.1 updates 'Pillow' to v9.0.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44522/f17", "id": "pyup.io-44522", "type": "cve", "cve": "CVE-2022-22816"}], "creavel": [{"specs": ["<=0.11.0"], "advisory": "Creavel 0.11.0 has a vulnerability associated with jinja2.\r\nhttps://github.com/airbnb/superset/commit/bce02e3f518237c03273e3ed4d9d1a13d9f8f6a9", "transitive": false, "more_info_path": "/v/25674/f17", "id": "pyup.io-25674", "type": "pve", "cve": "PVE-2021-25674"}, {"specs": ["<0.11.0"], "advisory": "Creavel 0.11.0 prevents XSS on FAB list views.\r\nhttps://github.com/apache/superset/commit/b62d7e3e8eaa80e201af3141fb4fe26c39e1ff79", "transitive": false, "more_info_path": "/v/25673/f17", "id": "pyup.io-25673", "type": "pve", "cve": "PVE-2021-25673"}], "crossbar": [{"specs": ["<0.15.0"], "advisory": "In crossbar before 0.15.0 if the `allowedOrigins` websocket option was set, the resulting matching was insufficient and would allow more origins than intended.", "transitive": false, "more_info_path": "/v/25675/f17", "id": "pyup.io-25675", "type": "pve", "cve": "PVE-2021-25675"}, {"specs": ["<20.12.3"], "advisory": "Crossbar 20.12.3 updates its dependency Autobahn to v20.12.3, which in turn fixes a potential security issue when enabling the Web status page ('enable_webstatus') on WebSocket-WAMP listening transports.", "transitive": true, "more_info_path": "/v/39329/f17", "id": "pyup.io-39329", "type": "cve", "cve": "CVE-2020-35678"}], "openapigenerator": [{"specs": ["<4.1.3"], "advisory": "Openapigenerator 4.1.3 updates its Maven dependency 'jackson-databind' to v2.9.10 to include security fixes.", "transitive": true, "more_info_path": "/v/45761/f17", "id": "pyup.io-45761", "type": "cve", "cve": "CVE-2019-14540"}, {"specs": ["<4.2.1"], "advisory": "Openapigenerator 4.2.1 updates its Maven dependency 'jackson-databind' to v2.9.10.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45757/f17", "id": "pyup.io-45757", "type": "cve", "cve": "CVE-2019-17531"}, {"specs": ["<4.1.0"], "advisory": "Openapigenerator 4.1.0 updates its dependency 'lodash' to versions >=4.17.13 to include a security fix.", "transitive": true, "more_info_path": "/v/45635/f17", "id": "pyup.io-45635", "type": "cve", "cve": "CVE-2019-10744"}, {"specs": ["<4.0.3"], "advisory": "Openapigenerator 4.0.3 updates flow-copy-source dependency (mem) to include a security fix.\r\nhttps://github.com/OpenAPITools/openapi-generator/pull/3296", "transitive": true, "more_info_path": "/v/45634/f17", "id": "pyup.io-45634", "type": "pve", "cve": "PVE-2019-45634"}, {"specs": ["<4.0.0beta2"], "advisory": "Openapigenerator 4.0.0beta2 updates its Maven dependency 'jackson-databind' to v2.8.11.3 to include security fixes.", "transitive": true, "more_info_path": "/v/45763/f17", "id": "pyup.io-45763", "type": "cve", "cve": "CVE-2018-19362"}, {"specs": ["<3.3.2"], "advisory": "Openapigenerator 3.3.2 updates its Maven dependency 'jackson-databind' to v2.8.11.2 to include security fixes.", "transitive": true, "more_info_path": "/v/45631/f17", "id": "pyup.io-45631", "type": "cve", "cve": "CVE-2018-12022"}, {"specs": ["<4.0.0b3"], "advisory": "Apenapigenerator v4.0.0-beta3 updates its Maven dependency 'gradle' to v2.14.1 to fix a vulnerability.", "transitive": true, "more_info_path": "/v/45602/f17", "id": "pyup.io-45602", "type": "cve", "cve": "CVE-2016-6199"}, {"specs": ["<4.1.3"], "advisory": "Openapigenerator 4.1.3 updates its Maven dependency 'jackson-databind' to v2.9.10 to include security fixes.", "transitive": true, "more_info_path": "/v/45636/f17", "id": "pyup.io-45636", "type": "cve", "cve": "CVE-2019-17267"}, {"specs": ["<4.3.0"], "advisory": "Openapigenerator updates its Ruby dependency 'rake' to v13.0.1 to include a security fix.", "transitive": true, "more_info_path": "/v/45638/f17", "id": "pyup.io-45638", "type": "cve", "cve": "CVE-2020-8130"}, {"specs": ["<4.2.1"], "advisory": "Openapigenerator 4.2.1 updates its Maven dependency 'jackson-databind' to v2.9.10.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45637/f17", "id": "pyup.io-45637", "type": "cve", "cve": "CVE-2019-16942"}, {"specs": ["<3.2.1"], "advisory": "Openapigenerator 3.2.1 updates its dependency 'superagent' to v3.7.0 to include a security fix.", "transitive": true, "more_info_path": "/v/45629/f17", "id": "pyup.io-45629", "type": "cve", "cve": "CVE-2017-16129"}, {"specs": ["<4.0.0beta2"], "advisory": "Openapigenerator 4.0.0beta2 updates its Maven dependency 'jackson-databind' to v2.8.11.3 to include security fixes.", "transitive": true, "more_info_path": "/v/45632/f17", "id": "pyup.io-45632", "type": "cve", "cve": "CVE-2018-19360"}, {"specs": ["<4.0.2"], "advisory": "Openapigenerator 4.0.2 updates the babel-cli version to fix security issue.\r\nhttps://github.com/advisories/GHSA-g95f-p29q-9xw4", "transitive": true, "more_info_path": "/v/45633/f17", "id": "pyup.io-45633", "type": "pve", "cve": "PVE-2019-45633"}, {"specs": ["<4.2.1"], "advisory": "Openapigenerator 4.2.1 updates its Maven dependency 'jackson-databind' to v2.9.10.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45756/f17", "id": "pyup.io-45756", "type": "cve", "cve": "CVE-2019-16943"}, {"specs": ["<4.1.3"], "advisory": "Openapigenerator 4.1.3 updates its Maven dependency 'jackson-databind' to v2.9.10 to include security fixes.", "transitive": true, "more_info_path": "/v/45758/f17", "id": "pyup.io-45758", "type": "cve", "cve": "CVE-2019-16335"}, {"specs": ["<4.1.3"], "advisory": "Openapigenerator 4.1.3 updates its Maven dependency 'jackson-databind' to v2.9.10 to include security fixes.", "transitive": true, "more_info_path": "/v/45759/f17", "id": "pyup.io-45759", "type": "cve", "cve": "CVE-2019-14893"}, {"specs": ["<4.1.3"], "advisory": "Openapigenerator 4.1.3 updates its Maven dependency 'jackson-databind' to v2.9.10 to include security fixes.", "transitive": true, "more_info_path": "/v/45760/f17", "id": "pyup.io-45760", "type": "cve", "cve": "CVE-2019-14892"}, {"specs": ["<4.0.0beta2"], "advisory": "Openapigenerator 4.0.0beta2 updates its Maven dependency 'jackson-databind' to v2.8.11.3 to include security fixes.", "transitive": true, "more_info_path": "/v/45762/f17", "id": "pyup.io-45762", "type": "cve", "cve": "CVE-2018-19361"}, {"specs": ["<3.3.2"], "advisory": "Openapigenerator 3.3.2 updates its Maven dependency 'jackson-databind' to v2.8.11.2 to include security fixes.", "transitive": true, "more_info_path": "/v/45764/f17", "id": "pyup.io-45764", "type": "cve", "cve": "CVE-2018-12023"}], "tutor": [{"specs": ["<3.12.3"], "advisory": "Tutor 3.12.3 applies most recent security patches for the 'edx-platform' underlying dependency.", "transitive": false, "more_info_path": "/v/40920/f17", "id": "pyup.io-40920", "type": "pve", "cve": "PVE-2021-40920"}, {"specs": ["<12.0.4"], "advisory": "Tutor 12.0.4 applies security patch.\r\nhttps://github.com/edx/edx-platform/pull/28442", "transitive": false, "more_info_path": "/v/41730/f17", "id": "pyup.io-41730", "type": "pve", "cve": "PVE-2021-41730"}, {"specs": ["<3.5.2"], "advisory": "Tutor 3.5.2 applies certificate XSS security patch.\r\nhttps://github.com/overhangio/tutor/commit/c02fabb493b5e5b6ca6e2ad5612219e6c9803791", "transitive": false, "more_info_path": "/v/40924/f17", "id": "pyup.io-40924", "type": "cve", "cve": "CVE-2019-20513"}, {"specs": ["<10.5.3"], "advisory": "Tutor 10.5.3 applies upstream security patch for the 'edx-platform' underlying dependency.", "transitive": false, "more_info_path": "/v/40916/f17", "id": "pyup.io-40916", "type": "pve", "cve": "PVE-2021-40916"}, {"specs": ["<11.2.2"], "advisory": "Tutor 11.2.2 includes a security patch for the 'edx-platform' underlying dependency.", "transitive": false, "more_info_path": "/v/40908/f17", "id": "pyup.io-40908", "type": "pve", "cve": "PVE-2021-40908"}, {"specs": ["<3.6.3"], "advisory": "Tutor 3.6.3 fixes a template injection vulnerability in 'CustomTagModule'.\r\nhttps://github.com/overhangio/tutor/commit/bcf1ffe556151745c0ae38dcd13fe8dfc4d77a6c", "transitive": false, "more_info_path": "/v/40922/f17", "id": "pyup.io-40922", "type": "pve", "cve": "PVE-2021-40922"}, {"specs": ["<10.2.0"], "advisory": "Tutor 10.2.0 includes a security patch for JavaScript code in the 'edx-platform' underlying dependency.", "transitive": false, "more_info_path": "/v/40917/f17", "id": "pyup.io-40917", "type": "pve", "cve": "PVE-2021-40917"}, {"specs": ["<10.1.0"], "advisory": "Tutor 10.1.0 includes upstream XSS security fixes for the 'edx-platform' underlying dependency.\r\nhttps://github.com/overhangio/tutor/commit/8e2a06dc6fc2c1819ee82e46f44490602a065766", "transitive": false, "more_info_path": "/v/40918/f17", "id": "pyup.io-40918", "type": "pve", "cve": "PVE-2021-40918"}, {"specs": ["<11.2.7"], "advisory": "Tutor 11.2.7 applies a security patch for the 'edx-platform' underlying dependency.", "transitive": false, "more_info_path": "/v/40907/f17", "id": "pyup.io-40907", "type": "pve", "cve": "PVE-2021-40907"}, {"specs": ["<11.0.6"], "advisory": "Tutor 11.0.6 applies a security patch for the 'edx-platform' underlying dependency.", "transitive": false, "more_info_path": "/v/40914/f17", "id": "pyup.io-40914", "type": "pve", "cve": "PVE-2021-40914"}, {"specs": ["<11.0.7"], "advisory": "Tutor 11.0.7 includes a security patch for the 'edx-platform' underlying dependency.", "transitive": false, "more_info_path": "/v/40913/f17", "id": "pyup.io-40913", "type": "pve", "cve": "PVE-2021-40913"}, {"specs": ["<11.1.3"], "advisory": "Tutor 11.1.3 includes a security patch for the 'edx-platform' underlying dependency.", "transitive": false, "more_info_path": "/v/40911/f17", "id": "pyup.io-40911", "type": "pve", "cve": "PVE-2021-40911"}, {"specs": ["<11.1.1"], "advisory": "Tutor 11.1.1 includes a security patch for the 'edx-platform' underlying dependency.", "transitive": false, "more_info_path": "/v/40912/f17", "id": "pyup.io-40912", "type": "pve", "cve": "PVE-2021-40912"}, {"specs": ["<13.1.3"], "advisory": "Tutor 13.1.3 fixes an invalid enrollment vulnerability.\r\nhttps://github.com/overhangio/edx-platform/commit/e9369cffde92e765117bbd4dfbee7dc29213493a", "transitive": false, "more_info_path": "/v/44747/f17", "id": "pyup.io-44747", "type": "pve", "cve": "PVE-2022-44747"}, {"specs": ["<15.3.0"], "advisory": "Tutor 15.3.0 includes a fix for CVE-2023-23611: Any LTI tool that is integrated with on the Open edX platform can post a grade back for any LTI XBlock so long as it knows or can guess the block location for that XBlock.\r\nhttps://github.com/overhangio/tutor/commit/9df3b18c31ff79d3ba325b028c8effbf3de89c9b", "transitive": true, "more_info_path": "/v/53221/f17", "id": "pyup.io-53221", "type": "cve", "cve": "CVE-2023-23611"}, {"specs": ["<3.9.0"], "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", "transitive": true, "more_info_path": "/v/49776/f17", "id": "pyup.io-49776", "type": "cve", "cve": "CVE-2019-14234"}, {"specs": ["<3.9.0"], "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", "transitive": true, "more_info_path": "/v/49777/f17", "id": "pyup.io-49777", "type": "cve", "cve": "CVE-2019-14235"}, {"specs": ["<3.9.0"], "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", "transitive": true, "more_info_path": "/v/49774/f17", "id": "pyup.io-49774", "type": "cve", "cve": "CVE-2019-14232"}, {"specs": ["<11.2.10"], "advisory": "Tutor 11.2.10 applies security patches for the 'Django' dependency by upgrading from 2.2.20 to 2.2.23.", "transitive": true, "more_info_path": "/v/49771/f17", "id": "pyup.io-49771", "type": "cve", "cve": "CVE-2021-31542"}, {"specs": ["<13.3.0"], "advisory": "Tutor 13.3.0 applies a security fix in logout redirect urls.\r\nhttps://github.com/overhangio/tutor/commit/79eca380f6cdb14b418475fa8872662fa46efad8", "transitive": false, "more_info_path": "/v/49260/f17", "id": "pyup.io-49260", "type": "pve", "cve": "PVE-2022-49260"}, {"specs": ["<13.0.0"], "advisory": "Tutor 13.0.0 converts all NodePort services to ClusterIP resources so to avoid they are exposed to the outside world, specially using Kubernetes.\r\nhttps://github.com/overhangio/tutor/commit/7c1e85ef4ba94cce1d597a1a3ea69cedbc2bde49", "transitive": false, "more_info_path": "/v/43583/f17", "id": "pyup.io-43583", "type": "pve", "cve": "PVE-2021-43583"}, {"specs": ["<11.1.4"], "advisory": "Tutor 11.1.4 applies a security patch for the 'edx-platform' underlying dependency.", "transitive": false, "more_info_path": "/v/40910/f17", "id": "pyup.io-40910", "type": "pve", "cve": "PVE-2021-40910"}, {"specs": ["<11.2.10"], "advisory": "Tutor 11.2.10 applies security patches for the 'Django' dependency by upgrading from 2.2.20 to 2.2.23.", "transitive": true, "more_info_path": "/v/49772/f17", "id": "pyup.io-49772", "type": "cve", "cve": "CVE-2021-28658"}, {"specs": ["<3.9.0"], "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", "transitive": true, "more_info_path": "/v/49778/f17", "id": "pyup.io-49778", "type": "cve", "cve": "CVE-2019-19118"}, {"specs": ["<3.9.0"], "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", "transitive": true, "more_info_path": "/v/49773/f17", "id": "pyup.io-49773", "type": "cve", "cve": "CVE-2019-12781"}, {"specs": ["<13.1.4"], "advisory": "Tutor 13.1.4 fixes vulnerability in redirect url during authentication.\r\nhttps://github.com/overhangio/edx-platform/commit/06550411e34c04376fa3d757e1f068f464f816e6", "transitive": false, "more_info_path": "/v/44885/f17", "id": "pyup.io-44885", "type": "pve", "cve": "PVE-2022-44885"}, {"specs": ["<3.6.0"], "advisory": "Tutor 3.6.0 fixes insecure static asset loading when web proxy is enabled.", "transitive": false, "more_info_path": "/v/40923/f17", "id": "pyup.io-40923", "type": "pve", "cve": "PVE-2021-40923"}, {"specs": ["<10.0.5"], "advisory": "Tutor 10.0.5 applies upstream XSS security fixes for the 'edx-platform' underlying dependency.\r\nhttps://github.com/overhangio/tutor/commit/1773e2a347e6a9b3e378886ab2f8878dc6d80530", "transitive": true, "more_info_path": "/v/40919/f17", "id": "pyup.io-40919", "type": "pve", "cve": "PVE-2021-40919"}, {"specs": ["<13.2.0"], "advisory": "Tutor 13.2.0 fixes a rate limiting bypass vulnerability that was possible by using a spoofed X-Forwarded-For header.\r\nhttps://github.com/overhangio/edx-platform/commit/b5723e416e628cac4fa84392ca13e1b72817674f", "transitive": false, "more_info_path": "/v/48258/f17", "id": "pyup.io-48258", "type": "pve", "cve": "PVE-2022-48258"}, {"specs": ["<11.1.5"], "advisory": "Tutor 11.1.5 includes security patch for the 'edx-platform' underlying dependency.", "transitive": false, "more_info_path": "/v/40909/f17", "id": "pyup.io-40909", "type": "pve", "cve": "PVE-2021-40909"}, {"specs": ["<14.2.2"], "advisory": "Tutor 14.2.2 fixes a XSS vulnerability in drag-n-drop v2 xblock.\r\nhttps://github.com/overhangio/tutor/commit/0e8f55798c5eeb745edf4d4a003d746f209e1a5a", "transitive": false, "more_info_path": "/v/52099/f17", "id": "pyup.io-52099", "type": "pve", "cve": "PVE-2022-52099"}, {"specs": ["<14.1.1"], "advisory": "Tutor 14.1.1 fixes a vulnerability in xblock ajax handler.\r\nhttps://github.com/overhangio/tutor/commit/3ba53655378cbe00245354bce159d720fb2cbbd6", "transitive": false, "more_info_path": "/v/51540/f17", "id": "pyup.io-51540", "type": "pve", "cve": "PVE-2022-51540"}, {"specs": ["<3.9.0"], "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", "transitive": true, "more_info_path": "/v/49779/f17", "id": "pyup.io-49779", "type": "cve", "cve": "CVE-2019-19844"}, {"specs": ["<11.0.1"], "advisory": "Tutor 11.0.1 applies a security patch for the 'edx-platform' underlying dependency.", "transitive": false, "more_info_path": "/v/40915/f17", "id": "pyup.io-40915", "type": "pve", "cve": "PVE-2021-40915"}, {"specs": ["<13.1.9"], "advisory": "Tutor 13.1.9 fixes an open redirect vulnerability in inactive user flow.\r\nhttps://github.com/rgraber/edx-platform/commit/fbbcfe71832e700f16aad3636b0ccb35585d1c95", "transitive": false, "more_info_path": "/v/48012/f17", "id": "pyup.io-48012", "type": "pve", "cve": "PVE-2022-48012"}, {"specs": ["<3.9.0"], "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", "transitive": true, "more_info_path": "/v/49775/f17", "id": "pyup.io-49775", "type": "cve", "cve": "CVE-2019-14233"}, {"specs": ["<3.9.0"], "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", "transitive": true, "more_info_path": "/v/40921/f17", "id": "pyup.io-40921", "type": "cve", "cve": "CVE-2019-12308"}, {"specs": ["<11.2.10"], "advisory": "Tutor 11.2.10 applies security patches for the 'Django' dependency by upgrading from 2.2.20 to 2.2.23.", "transitive": true, "more_info_path": "/v/40906/f17", "id": "pyup.io-40906", "type": "cve", "cve": "CVE-2021-32052"}, {"specs": ["<3.3.5"], "advisory": "Tutor 3.3.5 updates the 'Jinja2' underlying dependency to v2.10.1 to fix a security vulnerability.", "transitive": true, "more_info_path": "/v/40925/f17", "id": "pyup.io-40925", "type": "cve", "cve": "CVE-2019-10906"}, {"specs": ["<13.1.11"], "advisory": "Tutor 13.1.11 fixes a vulnerability in SAML configuration.\r\nhttps://github.com/overhangio/tutor/commit/16b2378165006ba951c420f5a32b0651c01d57c0", "transitive": false, "more_info_path": "/v/48110/f17", "id": "pyup.io-48110", "type": "pve", "cve": "PVE-2022-48110"}, {"specs": ["<14.1.2"], "advisory": "Tutor 14.1.2 includes a fix for an XSS vulnerability on \"next\" parameter, imported from 'edx-platform'.\r\nhttps://github.com/overhangio/tutor/commit/b46a7b0fa806604eddaed8646a2a8712a8508c79.", "transitive": false, "more_info_path": "/v/51649/f17", "id": "pyup.io-51649", "type": "pve", "cve": "PVE-2022-51649"}], "aiohttp": [{"specs": ["<3.8.0"], "advisory": "Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection.\r\nhttps://github.com/aio-libs/aiohttp/issues/4818", "transitive": false, "more_info_path": "/v/42692/f17", "id": "pyup.io-42692", "type": "pve", "cve": "PVE-2021-42692"}, {"specs": ["<3.7.4"], "advisory": "Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications.", "transitive": false, "more_info_path": "/v/39659/f17", "id": "pyup.io-39659", "type": "cve", "cve": "CVE-2021-21330"}, {"specs": ["<0.16.3"], "advisory": "Aiohttp 0.16.3 fixes a directory traversal vulnerability by making changes in StaticRoute class of web_urldispatcher.py.\r\nhttps://github.com/aio-libs/aiohttp/pull/383", "transitive": false, "more_info_path": "/v/25613/f17", "id": "pyup.io-25613", "type": "pve", "cve": "PVE-2021-25613"}], "cryptacular": [{"specs": ["<1.2"], "advisory": "crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.", "transitive": false, "more_info_path": "/v/25677/f17", "id": "pyup.io-25677", "type": "pve", "cve": "PVE-2021-25677"}, {"specs": ["<1.2"], "advisory": "crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.", "transitive": false, "more_info_path": "/v/42230/f17", "id": "pyup.io-42230", "type": "cve", "cve": "CVE-2011-2483"}], "hotaru": [{"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46016/f17", "id": "pyup.io-46016", "type": "cve", "cve": "CVE-2021-41228"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45860/f17", "id": "pyup.io-45860", "type": "cve", "cve": "CVE-2020-26267"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45880/f17", "id": "pyup.io-45880", "type": "cve", "cve": "CVE-2021-29517"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43852/f17", "id": "pyup.io-43852", "type": "cve", "cve": "CVE-2020-15192"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43830/f17", "id": "pyup.io-43830", "type": "cve", "cve": "CVE-2020-15205"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43840/f17", "id": "pyup.io-43840", "type": "cve", "cve": "CVE-2020-13630"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45858/f17", "id": "pyup.io-45858", "type": "cve", "cve": "CVE-2020-15266"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45876/f17", "id": "pyup.io-45876", "type": "cve", "cve": "CVE-2021-29513"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45881/f17", "id": "pyup.io-45881", "type": "cve", "cve": "CVE-2021-29518"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45897/f17", "id": "pyup.io-45897", "type": "cve", "cve": "CVE-2021-29534"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45900/f17", "id": "pyup.io-45900", "type": "cve", "cve": "CVE-2021-29537"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45902/f17", "id": "pyup.io-45902", "type": "cve", "cve": "CVE-2021-29539"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45905/f17", "id": "pyup.io-45905", "type": "cve", "cve": "CVE-2021-29542"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45913/f17", "id": "pyup.io-45913", "type": "cve", "cve": "CVE-2021-29550"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45916/f17", "id": "pyup.io-45916", "type": "cve", "cve": "CVE-2021-29553"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45920/f17", "id": "pyup.io-45920", "type": "cve", "cve": "CVE-2021-29557"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45923/f17", "id": "pyup.io-45923", "type": "cve", "cve": "CVE-2021-29560"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45924/f17", "id": "pyup.io-45924", "type": "cve", "cve": "CVE-2021-29561"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45930/f17", "id": "pyup.io-45930", "type": "cve", "cve": "CVE-2021-29567"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45952/f17", "id": "pyup.io-45952", "type": "cve", "cve": "CVE-2021-29589"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45959/f17", "id": "pyup.io-45959", "type": "cve", "cve": "CVE-2021-29596"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45975/f17", "id": "pyup.io-45975", "type": "cve", "cve": "CVE-2021-29612"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45971/f17", "id": "pyup.io-45971", "type": "cve", "cve": "CVE-2021-29608"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45978/f17", "id": "pyup.io-45978", "type": "cve", "cve": "CVE-2021-29615"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46001/f17", "id": "pyup.io-46001", "type": "cve", "cve": "CVE-2021-41213"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46004/f17", "id": "pyup.io-46004", "type": "cve", "cve": "CVE-2021-41216"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45883/f17", "id": "pyup.io-45883", "type": "cve", "cve": "CVE-2021-29520"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46031/f17", "id": "pyup.io-46031", "type": "cve", "cve": "CVE-2022-21738"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46028/f17", "id": "pyup.io-46028", "type": "cve", "cve": "CVE-2022-21735"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43845/f17", "id": "pyup.io-43845", "type": "cve", "cve": "CVE-2020-11656"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45866/f17", "id": "pyup.io-45866", "type": "cve", "cve": "CVE-2020-8231"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45872/f17", "id": "pyup.io-45872", "type": "cve", "cve": "CVE-2021-22924"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45934/f17", "id": "pyup.io-45934", "type": "cve", "cve": "CVE-2021-29571"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45936/f17", "id": "pyup.io-45936", "type": "cve", "cve": "CVE-2021-29573"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45871/f17", "id": "pyup.io-45871", "type": "cve", "cve": "CVE-2021-22923"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43835/f17", "id": "pyup.io-43835", "type": "cve", "cve": "CVE-2020-15207"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43836/f17", "id": "pyup.io-43836", "type": "cve", "cve": "CVE-2020-15195"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43851/f17", "id": "pyup.io-43851", "type": "cve", "cve": "CVE-2020-9327"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43834/f17", "id": "pyup.io-43834", "type": "cve", "cve": "CVE-2020-15209"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43832/f17", "id": "pyup.io-43832", "type": "cve", "cve": "CVE-2020-15206"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45925/f17", "id": "pyup.io-45925", "type": "cve", "cve": "CVE-2021-29562"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45970/f17", "id": "pyup.io-45970", "type": "cve", "cve": "CVE-2021-29607"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45893/f17", "id": "pyup.io-45893", "type": "cve", "cve": "CVE-2021-29530"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45944/f17", "id": "pyup.io-45944", "type": "cve", "cve": "CVE-2021-29581"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43833/f17", "id": "pyup.io-43833", "type": "cve", "cve": "CVE-2020-15208"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45857/f17", "id": "pyup.io-45857", "type": "cve", "cve": "CVE-2020-15265"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45965/f17", "id": "pyup.io-45965", "type": "cve", "cve": "CVE-2021-29602"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45981/f17", "id": "pyup.io-45981", "type": "cve", "cve": "CVE-2021-29618"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45877/f17", "id": "pyup.io-45877", "type": "cve", "cve": "CVE-2021-29514"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45878/f17", "id": "pyup.io-45878", "type": "cve", "cve": "CVE-2021-29515"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45886/f17", "id": "pyup.io-45886", "type": "cve", "cve": "CVE-2021-29523"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45882/f17", "id": "pyup.io-45882", "type": "cve", "cve": "CVE-2021-29519"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45896/f17", "id": "pyup.io-45896", "type": "cve", "cve": "CVE-2021-29533"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45909/f17", "id": "pyup.io-45909", "type": "cve", "cve": "CVE-2021-29546"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45928/f17", "id": "pyup.io-45928", "type": "cve", "cve": "CVE-2021-29565"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45931/f17", "id": "pyup.io-45931", "type": "cve", "cve": "CVE-2021-29568"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45938/f17", "id": "pyup.io-45938", "type": "cve", "cve": "CVE-2021-29575"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45945/f17", "id": "pyup.io-45945", "type": "cve", "cve": "CVE-2021-29582"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45953/f17", "id": "pyup.io-45953", "type": "cve", "cve": "CVE-2021-29590"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45954/f17", "id": "pyup.io-45954", "type": "cve", "cve": "CVE-2021-29591"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45946/f17", "id": "pyup.io-45946", "type": "cve", "cve": "CVE-2021-29583"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45977/f17", "id": "pyup.io-45977", "type": "cve", "cve": "CVE-2021-29614"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46003/f17", "id": "pyup.io-46003", "type": "cve", "cve": "CVE-2021-41215"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46006/f17", "id": "pyup.io-46006", "type": "cve", "cve": "CVE-2021-41218"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45891/f17", "id": "pyup.io-45891", "type": "cve", "cve": "CVE-2021-29528"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46053/f17", "id": "pyup.io-46053", "type": "cve", "cve": "CVE-2022-23575"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45895/f17", "id": "pyup.io-45895", "type": "cve", "cve": "CVE-2021-29532"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45921/f17", "id": "pyup.io-45921", "type": "cve", "cve": "CVE-2021-29558"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46033/f17", "id": "pyup.io-46033", "type": "cve", "cve": "CVE-2022-21740"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46041/f17", "id": "pyup.io-46041", "type": "cve", "cve": "CVE-2022-23563"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46055/f17", "id": "pyup.io-46055", "type": "cve", "cve": "CVE-2022-23577"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46064/f17", "id": "pyup.io-46064", "type": "cve", "cve": "CVE-2022-23586"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46067/f17", "id": "pyup.io-46067", "type": "cve", "cve": "CVE-2022-23589"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46024/f17", "id": "pyup.io-46024", "type": "cve", "cve": "CVE-2022-21731"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46048/f17", "id": "pyup.io-46048", "type": "cve", "cve": "CVE-2022-23570"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45853/f17", "id": "pyup.io-45853", "type": "cve", "cve": "CVE-2019-20838"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43854/f17", "id": "pyup.io-43854", "type": "cve", "cve": "CVE-2020-15213"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43855/f17", "id": "pyup.io-43855", "type": "cve", "cve": "CVE-2020-15210"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/38822/f17", "id": "pyup.io-38822", "type": "cve", "cve": "CVE-2020-15211"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43848/f17", "id": "pyup.io-43848", "type": "cve", "cve": "CVE-2020-13435"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46009/f17", "id": "pyup.io-46009", "type": "cve", "cve": "CVE-2021-41221"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43838/f17", "id": "pyup.io-43838", "type": "cve", "cve": "CVE-2020-15203"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43844/f17", "id": "pyup.io-43844", "type": "cve", "cve": "CVE-2020-15191"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43853/f17", "id": "pyup.io-43853", "type": "cve", "cve": "CVE-2020-15193"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43829/f17", "id": "pyup.io-43829", "type": "cve", "cve": "CVE-2020-15204"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43831/f17", "id": "pyup.io-43831", "type": "cve", "cve": "CVE-2020-15202"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43837/f17", "id": "pyup.io-43837", "type": "cve", "cve": "CVE-2020-15190"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43839/f17", "id": "pyup.io-43839", "type": "cve", "cve": "CVE-2020-15212"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43841/f17", "id": "pyup.io-43841", "type": "cve", "cve": "CVE-2020-15194"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43842/f17", "id": "pyup.io-43842", "type": "cve", "cve": "CVE-2020-15214"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45855/f17", "id": "pyup.io-45855", "type": "cve", "cve": "CVE-2020-14155"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45859/f17", "id": "pyup.io-45859", "type": "cve", "cve": "CVE-2020-26266"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45862/f17", "id": "pyup.io-45862", "type": "cve", "cve": "CVE-2020-26270"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45863/f17", "id": "pyup.io-45863", "type": "cve", "cve": "CVE-2020-26271"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45904/f17", "id": "pyup.io-45904", "type": "cve", "cve": "CVE-2021-29541"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45885/f17", "id": "pyup.io-45885", "type": "cve", "cve": "CVE-2021-29522"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45887/f17", "id": "pyup.io-45887", "type": "cve", "cve": "CVE-2021-29524"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45888/f17", "id": "pyup.io-45888", "type": "cve", "cve": "CVE-2021-29525"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45889/f17", "id": "pyup.io-45889", "type": "cve", "cve": "CVE-2021-29526"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45892/f17", "id": "pyup.io-45892", "type": "cve", "cve": "CVE-2021-29529"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46019/f17", "id": "pyup.io-46019", "type": "cve", "cve": "CVE-2022-21726"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45899/f17", "id": "pyup.io-45899", "type": "cve", "cve": "CVE-2021-29536"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45903/f17", "id": "pyup.io-45903", "type": "cve", "cve": "CVE-2021-29540"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46022/f17", "id": "pyup.io-46022", "type": "cve", "cve": "CVE-2022-21729"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45907/f17", "id": "pyup.io-45907", "type": "cve", "cve": "CVE-2021-29544"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46043/f17", "id": "pyup.io-46043", "type": "cve", "cve": "CVE-2022-23565"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45908/f17", "id": "pyup.io-45908", "type": "cve", "cve": "CVE-2021-29545"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45911/f17", "id": "pyup.io-45911", "type": "cve", "cve": "CVE-2021-29548"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45912/f17", "id": "pyup.io-45912", "type": "cve", "cve": "CVE-2021-29549"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45915/f17", "id": "pyup.io-45915", "type": "cve", "cve": "CVE-2021-29552"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45917/f17", "id": "pyup.io-45917", "type": "cve", "cve": "CVE-2021-29554"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45919/f17", "id": "pyup.io-45919", "type": "cve", "cve": "CVE-2021-29556"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45922/f17", "id": "pyup.io-45922", "type": "cve", "cve": "CVE-2021-29559"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45926/f17", "id": "pyup.io-45926", "type": "cve", "cve": "CVE-2021-29563"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45929/f17", "id": "pyup.io-45929", "type": "cve", "cve": "CVE-2021-29566"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45947/f17", "id": "pyup.io-45947", "type": "cve", "cve": "CVE-2021-29584"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45948/f17", "id": "pyup.io-45948", "type": "cve", "cve": "CVE-2021-29585"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45950/f17", "id": "pyup.io-45950", "type": "cve", "cve": "CVE-2021-29587"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45951/f17", "id": "pyup.io-45951", "type": "cve", "cve": "CVE-2021-29588"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45937/f17", "id": "pyup.io-45937", "type": "cve", "cve": "CVE-2021-29574"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45940/f17", "id": "pyup.io-45940", "type": "cve", "cve": "CVE-2021-29577"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45942/f17", "id": "pyup.io-45942", "type": "cve", "cve": "CVE-2021-29579"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45943/f17", "id": "pyup.io-45943", "type": "cve", "cve": "CVE-2021-29580"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45955/f17", "id": "pyup.io-45955", "type": "cve", "cve": "CVE-2021-29592"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45956/f17", "id": "pyup.io-45956", "type": "cve", "cve": "CVE-2021-29593"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45958/f17", "id": "pyup.io-45958", "type": "cve", "cve": "CVE-2021-29595"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45961/f17", "id": "pyup.io-45961", "type": "cve", "cve": "CVE-2021-29598"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45974/f17", "id": "pyup.io-45974", "type": "cve", "cve": "CVE-2021-29611"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45979/f17", "id": "pyup.io-45979", "type": "cve", "cve": "CVE-2021-29616"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45980/f17", "id": "pyup.io-45980", "type": "cve", "cve": "CVE-2021-29617"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45982/f17", "id": "pyup.io-45982", "type": "cve", "cve": "CVE-2021-29619"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45983/f17", "id": "pyup.io-45983", "type": "cve", "cve": "CVE-2021-41195"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45984/f17", "id": "pyup.io-45984", "type": "cve", "cve": "CVE-2021-41196"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45985/f17", "id": "pyup.io-45985", "type": "cve", "cve": "CVE-2021-41197"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45986/f17", "id": "pyup.io-45986", "type": "cve", "cve": "CVE-2021-41198"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45987/f17", "id": "pyup.io-45987", "type": "cve", "cve": "CVE-2021-41199"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45988/f17", "id": "pyup.io-45988", "type": "cve", "cve": "CVE-2021-41200"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45989/f17", "id": "pyup.io-45989", "type": "cve", "cve": "CVE-2021-41201"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45992/f17", "id": "pyup.io-45992", "type": "cve", "cve": "CVE-2021-41204"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45994/f17", "id": "pyup.io-45994", "type": "cve", "cve": "CVE-2021-41206"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45997/f17", "id": "pyup.io-45997", "type": "cve", "cve": "CVE-2021-41209"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45996/f17", "id": "pyup.io-45996", "type": "cve", "cve": "CVE-2021-41208"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45998/f17", "id": "pyup.io-45998", "type": "cve", "cve": "CVE-2021-41210"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45999/f17", "id": "pyup.io-45999", "type": "cve", "cve": "CVE-2021-41211"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46005/f17", "id": "pyup.io-46005", "type": "cve", "cve": "CVE-2021-41217"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46010/f17", "id": "pyup.io-46010", "type": "cve", "cve": "CVE-2021-41222"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46011/f17", "id": "pyup.io-46011", "type": "cve", "cve": "CVE-2021-41223"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45867/f17", "id": "pyup.io-45867", "type": "cve", "cve": "CVE-2020-8284"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45861/f17", "id": "pyup.io-45861", "type": "cve", "cve": "CVE-2020-26268"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45870/f17", "id": "pyup.io-45870", "type": "cve", "cve": "CVE-2021-22922"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45884/f17", "id": "pyup.io-45884", "type": "cve", "cve": "CVE-2021-29521"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45890/f17", "id": "pyup.io-45890", "type": "cve", "cve": "CVE-2021-29527"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45901/f17", "id": "pyup.io-45901", "type": "cve", "cve": "CVE-2021-29538"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45898/f17", "id": "pyup.io-45898", "type": "cve", "cve": "CVE-2021-29535"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45918/f17", "id": "pyup.io-45918", "type": "cve", "cve": "CVE-2021-29555"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45914/f17", "id": "pyup.io-45914", "type": "cve", "cve": "CVE-2021-29551"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45949/f17", "id": "pyup.io-45949", "type": "cve", "cve": "CVE-2021-29586"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45932/f17", "id": "pyup.io-45932", "type": "cve", "cve": "CVE-2021-29569"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45933/f17", "id": "pyup.io-45933", "type": "cve", "cve": "CVE-2021-29570"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45960/f17", "id": "pyup.io-45960", "type": "cve", "cve": "CVE-2021-29597"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45939/f17", "id": "pyup.io-45939", "type": "cve", "cve": "CVE-2021-29576"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45935/f17", "id": "pyup.io-45935", "type": "cve", "cve": "CVE-2021-29572"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45962/f17", "id": "pyup.io-45962", "type": "cve", "cve": "CVE-2021-29599"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45995/f17", "id": "pyup.io-45995", "type": "cve", "cve": "CVE-2021-41207"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45993/f17", "id": "pyup.io-45993", "type": "cve", "cve": "CVE-2021-41205"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46002/f17", "id": "pyup.io-46002", "type": "cve", "cve": "CVE-2021-41214"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45973/f17", "id": "pyup.io-45973", "type": "cve", "cve": "CVE-2021-29610"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46015/f17", "id": "pyup.io-46015", "type": "cve", "cve": "CVE-2021-41227"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46018/f17", "id": "pyup.io-46018", "type": "cve", "cve": "CVE-2022-21725"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46020/f17", "id": "pyup.io-46020", "type": "cve", "cve": "CVE-2022-21727"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46021/f17", "id": "pyup.io-46021", "type": "cve", "cve": "CVE-2022-21728"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46023/f17", "id": "pyup.io-46023", "type": "cve", "cve": "CVE-2022-21730"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46061/f17", "id": "pyup.io-46061", "type": "cve", "cve": "CVE-2022-23583"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46029/f17", "id": "pyup.io-46029", "type": "cve", "cve": "CVE-2022-21736"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46038/f17", "id": "pyup.io-46038", "type": "cve", "cve": "CVE-2022-23560"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46034/f17", "id": "pyup.io-46034", "type": "cve", "cve": "CVE-2022-21741"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46036/f17", "id": "pyup.io-46036", "type": "cve", "cve": "CVE-2022-23558"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46037/f17", "id": "pyup.io-46037", "type": "cve", "cve": "CVE-2022-23559"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46039/f17", "id": "pyup.io-46039", "type": "cve", "cve": "CVE-2022-23561"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46040/f17", "id": "pyup.io-46040", "type": "cve", "cve": "CVE-2022-23562"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46044/f17", "id": "pyup.io-46044", "type": "cve", "cve": "CVE-2022-23566"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46045/f17", "id": "pyup.io-46045", "type": "cve", "cve": "CVE-2022-23567"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46047/f17", "id": "pyup.io-46047", "type": "cve", "cve": "CVE-2022-23569"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46052/f17", "id": "pyup.io-46052", "type": "cve", "cve": "CVE-2022-23574"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46049/f17", "id": "pyup.io-46049", "type": "cve", "cve": "CVE-2022-23571"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46050/f17", "id": "pyup.io-46050", "type": "cve", "cve": "CVE-2022-23572"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46054/f17", "id": "pyup.io-46054", "type": "cve", "cve": "CVE-2022-23576"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46056/f17", "id": "pyup.io-46056", "type": "cve", "cve": "CVE-2022-23578"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46057/f17", "id": "pyup.io-46057", "type": "cve", "cve": "CVE-2022-23579"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46058/f17", "id": "pyup.io-46058", "type": "cve", "cve": "CVE-2022-23580"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46059/f17", "id": "pyup.io-46059", "type": "cve", "cve": "CVE-2022-23581"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46060/f17", "id": "pyup.io-46060", "type": "cve", "cve": "CVE-2022-23582"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46062/f17", "id": "pyup.io-46062", "type": "cve", "cve": "CVE-2022-23584"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46063/f17", "id": "pyup.io-46063", "type": "cve", "cve": "CVE-2022-23585"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46066/f17", "id": "pyup.io-46066", "type": "cve", "cve": "CVE-2022-23588"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46025/f17", "id": "pyup.io-46025", "type": "cve", "cve": "CVE-2022-21732"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46026/f17", "id": "pyup.io-46026", "type": "cve", "cve": "CVE-2022-21733"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46035/f17", "id": "pyup.io-46035", "type": "cve", "cve": "CVE-2022-23557"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46046/f17", "id": "pyup.io-46046", "type": "cve", "cve": "CVE-2022-23568"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46027/f17", "id": "pyup.io-46027", "type": "cve", "cve": "CVE-2022-21734"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46051/f17", "id": "pyup.io-46051", "type": "cve", "cve": "CVE-2022-23573"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46069/f17", "id": "pyup.io-46069", "type": "cve", "cve": "CVE-2022-23595"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45875/f17", "id": "pyup.io-45875", "type": "cve", "cve": "CVE-2021-29512"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45879/f17", "id": "pyup.io-45879", "type": "cve", "cve": "CVE-2021-29516"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45894/f17", "id": "pyup.io-45894", "type": "cve", "cve": "CVE-2021-29531"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45941/f17", "id": "pyup.io-45941", "type": "cve", "cve": "CVE-2021-29578"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45957/f17", "id": "pyup.io-45957", "type": "cve", "cve": "CVE-2021-29594"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45963/f17", "id": "pyup.io-45963", "type": "cve", "cve": "CVE-2021-29600"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45990/f17", "id": "pyup.io-45990", "type": "cve", "cve": "CVE-2021-41202"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46065/f17", "id": "pyup.io-46065", "type": "cve", "cve": "CVE-2022-23587"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45906/f17", "id": "pyup.io-45906", "type": "cve", "cve": "CVE-2021-29543"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45910/f17", "id": "pyup.io-45910", "type": "cve", "cve": "CVE-2021-29547"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45966/f17", "id": "pyup.io-45966", "type": "cve", "cve": "CVE-2021-29603"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46000/f17", "id": "pyup.io-46000", "type": "cve", "cve": "CVE-2021-41212"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46007/f17", "id": "pyup.io-46007", "type": "cve", "cve": "CVE-2021-41219"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45927/f17", "id": "pyup.io-45927", "type": "cve", "cve": "CVE-2021-29564"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46008/f17", "id": "pyup.io-46008", "type": "cve", "cve": "CVE-2021-41220"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46012/f17", "id": "pyup.io-46012", "type": "cve", "cve": "CVE-2021-41224"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46013/f17", "id": "pyup.io-46013", "type": "cve", "cve": "CVE-2021-41225"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/46014/f17", "id": "pyup.io-46014", "type": "cve", "cve": "CVE-2021-41226"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46030/f17", "id": "pyup.io-46030", "type": "cve", "cve": "CVE-2022-21737"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46032/f17", "id": "pyup.io-46032", "type": "cve", "cve": "CVE-2022-21739"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46042/f17", "id": "pyup.io-46042", "type": "cve", "cve": "CVE-2022-23564"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45868/f17", "id": "pyup.io-45868", "type": "cve", "cve": "CVE-2020-8285"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45874/f17", "id": "pyup.io-45874", "type": "cve", "cve": "CVE-2021-22926"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46068/f17", "id": "pyup.io-46068", "type": "cve", "cve": "CVE-2022-23591"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43843/f17", "id": "pyup.io-43843", "type": "cve", "cve": "CVE-2020-15358"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43846/f17", "id": "pyup.io-43846", "type": "cve", "cve": "CVE-2020-11655"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43847/f17", "id": "pyup.io-43847", "type": "cve", "cve": "CVE-2020-13434"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43849/f17", "id": "pyup.io-43849", "type": "cve", "cve": "CVE-2020-13871"}, {"specs": ["<3.2.4"], "advisory": "Hotaru 3.2.4 updates Tensorflow to >= 2.2.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43850/f17", "id": "pyup.io-43850", "type": "cve", "cve": "CVE-2020-13631"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45854/f17", "id": "pyup.io-45854", "type": "cve", "cve": "CVE-2020-13790"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45856/f17", "id": "pyup.io-45856", "type": "cve", "cve": "CVE-2020-15250"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45864/f17", "id": "pyup.io-45864", "type": "cve", "cve": "CVE-2020-8169"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45865/f17", "id": "pyup.io-45865", "type": "cve", "cve": "CVE-2020-8177"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45869/f17", "id": "pyup.io-45869", "type": "cve", "cve": "CVE-2020-8286"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45873/f17", "id": "pyup.io-45873", "type": "cve", "cve": "CVE-2021-22925"}, {"specs": ["<3.4.1"], "advisory": "Hotaru 3.4.1 updates its dependency 'TensorFlow' minimum requirement to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/46017/f17", "id": "pyup.io-46017", "type": "cve", "cve": "CVE-2020-10531"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45976/f17", "id": "pyup.io-45976", "type": "cve", "cve": "CVE-2021-29613"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45991/f17", "id": "pyup.io-45991", "type": "cve", "cve": "CVE-2021-41203"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45969/f17", "id": "pyup.io-45969", "type": "cve", "cve": "CVE-2021-29606"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45964/f17", "id": "pyup.io-45964", "type": "cve", "cve": "CVE-2021-29601"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45967/f17", "id": "pyup.io-45967", "type": "cve", "cve": "CVE-2021-29604"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45968/f17", "id": "pyup.io-45968", "type": "cve", "cve": "CVE-2021-29605"}, {"specs": ["<3.4.0"], "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/45972/f17", "id": "pyup.io-45972", "type": "cve", "cve": "CVE-2021-29609"}], "ai-python": [{"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43062/f17", "id": "pyup.io-43062", "type": "cve", "cve": "CVE-2021-41213"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'pillow' to v8.3.2 to include security fixes.", "transitive": true, "more_info_path": "/v/43083/f17", "id": "pyup.io-43083", "type": "cve", "cve": "CVE-2021-23437"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'pillow' to v8.3.2 to include security fixes.", "transitive": true, "more_info_path": "/v/43082/f17", "id": "pyup.io-43082", "type": "cve", "cve": "CVE-2021-34552"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43071/f17", "id": "pyup.io-43071", "type": "cve", "cve": "CVE-2021-41208"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43053/f17", "id": "pyup.io-43053", "type": "cve", "cve": "CVE-2021-41211"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43061/f17", "id": "pyup.io-43061", "type": "cve", "cve": "CVE-2021-41209"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43064/f17", "id": "pyup.io-43064", "type": "cve", "cve": "CVE-2021-41228"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43054/f17", "id": "pyup.io-43054", "type": "cve", "cve": "CVE-2021-41217"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43055/f17", "id": "pyup.io-43055", "type": "cve", "cve": "CVE-2021-41214"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43056/f17", "id": "pyup.io-43056", "type": "cve", "cve": "CVE-2021-41219"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43067/f17", "id": "pyup.io-43067", "type": "cve", "cve": "CVE-2021-41218"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43068/f17", "id": "pyup.io-43068", "type": "cve", "cve": "CVE-2021-41216"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43072/f17", "id": "pyup.io-43072", "type": "cve", "cve": "CVE-2021-41206"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43077/f17", "id": "pyup.io-43077", "type": "cve", "cve": "CVE-2021-41201"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43078/f17", "id": "pyup.io-43078", "type": "cve", "cve": "CVE-2021-41197"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43063/f17", "id": "pyup.io-43063", "type": "cve", "cve": "CVE-2021-41204"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43065/f17", "id": "pyup.io-43065", "type": "cve", "cve": "CVE-2021-41222"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43066/f17", "id": "pyup.io-43066", "type": "cve", "cve": "CVE-2021-41224"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43070/f17", "id": "pyup.io-43070", "type": "cve", "cve": "CVE-2021-41220"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43075/f17", "id": "pyup.io-43075", "type": "cve", "cve": "CVE-2021-41207"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43076/f17", "id": "pyup.io-43076", "type": "cve", "cve": "CVE-2021-41202"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43080/f17", "id": "pyup.io-43080", "type": "cve", "cve": "CVE-2021-41198"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43069/f17", "id": "pyup.io-43069", "type": "cve", "cve": "CVE-2021-41215"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43081/f17", "id": "pyup.io-43081", "type": "cve", "cve": "CVE-2021-41210"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43050/f17", "id": "pyup.io-43050", "type": "cve", "cve": "CVE-2021-41196"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43059/f17", "id": "pyup.io-43059", "type": "cve", "cve": "CVE-2021-41225"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43051/f17", "id": "pyup.io-43051", "type": "cve", "cve": "CVE-2021-41203"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43074/f17", "id": "pyup.io-43074", "type": "cve", "cve": "CVE-2021-41212"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43079/f17", "id": "pyup.io-43079", "type": "cve", "cve": "CVE-2021-41195"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43052/f17", "id": "pyup.io-43052", "type": "cve", "cve": "CVE-2021-41200"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43057/f17", "id": "pyup.io-43057", "type": "cve", "cve": "CVE-2021-41226"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43058/f17", "id": "pyup.io-43058", "type": "cve", "cve": "CVE-2021-41227"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43060/f17", "id": "pyup.io-43060", "type": "cve", "cve": "CVE-2021-41221"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43073/f17", "id": "pyup.io-43073", "type": "cve", "cve": "CVE-2021-41205"}, {"specs": ["<0.8.1"], "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "transitive": true, "more_info_path": "/v/43002/f17", "id": "pyup.io-43002", "type": "cve", "cve": "CVE-2021-41199"}], "cryptography": [{"specs": ["<0.9.1"], "advisory": "Cryptography 0.9.1 fixes a double free in the OpenSSL backend when using DSA to verify signatures.\r\nhttps://github.com/pyca/cryptography/pull/2013", "transitive": false, "more_info_path": "/v/25678/f17", "id": "pyup.io-25678", "type": "pve", "cve": "PVE-2021-25678"}, {"specs": ["<39.0.1"], "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", "transitive": true, "more_info_path": "/v/53305/f17", "id": "pyup.io-53305", "type": "cve", "cve": "CVE-2023-0215"}, {"specs": ["<1.1"], "advisory": "Cryptography 1.1 don't use pipes to avoid truncation attacks.\r\nhttps://github.com/pyca/cryptography/pull/2334", "transitive": false, "more_info_path": "/v/53297/f17", "id": "pyup.io-53297", "type": "pve", "cve": "PVE-2023-53297"}, {"specs": [">=37.0.0,<38.0.3"], "advisory": "Cryptography versions from 37.0.0 and before 38.0.2 include a statically linked copy of OpenSSL that has known vulnerabilities.\r\nhttps://github.com/pyca/cryptography/security/advisories/GHSA-39hc-v87j-747x", "transitive": true, "more_info_path": "/v/52173/f17", "id": "pyup.io-52173", "type": "cve", "cve": "CVE-2022-3786"}, {"specs": ["<2.1.3"], "advisory": "Cryptography 2.1.3 updates Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.0g, that includes security fixes.", "transitive": true, "more_info_path": "/v/50724/f17", "id": "pyup.io-50724", "type": "cve", "cve": "CVE-2017-3735"}, {"specs": ["<39.0.1"], "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", "transitive": true, "more_info_path": "/v/53306/f17", "id": "pyup.io-53306", "type": "cve", "cve": "CVE-2023-0217"}, {"specs": ["<=3.2"], "advisory": "Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.", "transitive": false, "more_info_path": "/v/38932/f17", "id": "pyup.io-38932", "type": "cve", "cve": "CVE-2020-25659"}, {"specs": ["<3.3.2"], "advisory": "Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.", "transitive": false, "more_info_path": "/v/39606/f17", "id": "pyup.io-39606", "type": "cve", "cve": "CVE-2020-36242"}, {"specs": ["<1.5.3"], "advisory": "Cryptography 1.5.3 includes a fix for CVE-2016-9243: HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.\r\nhttps://github.com/pyca/cryptography/commit/b924696b2e8731f39696584d12cceeb3aeb2d874", "transitive": false, "more_info_path": "/v/25680/f17", "id": "pyup.io-25680", "type": "cve", "cve": "CVE-2016-9243"}, {"specs": [">=1.8,<39.0.1"], "advisory": "Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8.\r\nhttps://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r", "transitive": false, "more_info_path": "/v/53048/f17", "id": "pyup.io-53048", "type": "cve", "cve": "CVE-2023-23931"}, {"specs": ["<1.0.2"], "advisory": "Cryptography 1.0.2 fixes a vulnerability. The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with '-O' these asserts are optimized away. If a user ran Python with this flag and got an invalid response code, this could lead to undefined behavior or worse.", "transitive": false, "more_info_path": "/v/25679/f17", "id": "pyup.io-25679", "type": "pve", "cve": "PVE-2021-25679"}, {"specs": ["<2.1.3"], "advisory": "Cryptography 2.1.3 updates Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.0g, that includes security fixes.", "transitive": true, "more_info_path": "/v/50725/f17", "id": "pyup.io-50725", "type": "cve", "cve": "CVE-2017-3736"}, {"specs": [">=37.0.0,<38.0.3"], "advisory": "Cryptography versions from 37.0.0 and before 38.0.2 include a statically linked copy of OpenSSL that has known vulnerabilities.\r\nhttps://github.com/pyca/cryptography/security/advisories/GHSA-39hc-v87j-747x", "transitive": true, "more_info_path": "/v/52174/f17", "id": "pyup.io-52174", "type": "cve", "cve": "CVE-2022-3602"}, {"specs": ["<39.0.1"], "advisory": "Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl.\r\nhttps://github.com/pyca/cryptography/issues/7940", "transitive": true, "more_info_path": "/v/53298/f17", "id": "pyup.io-53298", "type": "cve", "cve": "CVE-2022-3996"}, {"specs": ["<39.0.1"], "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", "transitive": true, "more_info_path": "/v/53299/f17", "id": "pyup.io-53299", "type": "cve", "cve": "CVE-2022-4450"}, {"specs": ["<39.0.1"], "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", "transitive": true, "more_info_path": "/v/53301/f17", "id": "pyup.io-53301", "type": "cve", "cve": "CVE-2022-4203"}, {"specs": ["<39.0.1"], "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", "transitive": true, "more_info_path": "/v/53302/f17", "id": "pyup.io-53302", "type": "cve", "cve": "CVE-2023-0216"}, {"specs": ["<39.0.1"], "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", "transitive": true, "more_info_path": "/v/53303/f17", "id": "pyup.io-53303", "type": "cve", "cve": "CVE-2022-4304"}, {"specs": ["<39.0.1"], "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", "transitive": true, "more_info_path": "/v/53304/f17", "id": "pyup.io-53304", "type": "cve", "cve": "CVE-2023-0286"}, {"specs": ["<39.0.1"], "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", "transitive": true, "more_info_path": "/v/53307/f17", "id": "pyup.io-53307", "type": "cve", "cve": "CVE-2023-0401"}, {"specs": [">=1.9.0,<2.3"], "advisory": "A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903.", "transitive": false, "more_info_path": "/v/36351/f17", "id": "pyup.io-36351", "type": "cve", "cve": "CVE-2018-10903"}], "dateable-chronos": [{"specs": ["<0.8"], "advisory": "Dateable.chronos 0.8 includes a fix for a XSS vulnerability in the get_view_day method.\r\nhttps://github.com/collective/dateable.chronos/commit/fd91af02186e61b3e161a2f620da9422eb228c71", "transitive": false, "more_info_path": "/v/25685/f17", "id": "pyup.io-25685", "type": "pve", "cve": "PVE-2021-25685"}, {"specs": ["<0.8"], "advisory": "Dateable-chronos 0.8 includes a fix for a XSS vulnerability in the get_view_day method.\r\nhttps://github.com/collective/dateable.chronos/commit/fd91af02186e61b3e161a2f620da9422eb228c71", "transitive": false, "more_info_path": "/v/35988/f17", "id": "pyup.io-35988", "type": "pve", "cve": "PVE-2021-35988"}], "python": [{"specs": ["<2.7.12", ">=3.0,<3.4.5", ">=3.5,<3.5.2"], "advisory": "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. See CVE-2016-5636.", "transitive": false, "more_info_path": "/v/45617/f17", "id": "pyup.io-45617", "type": "cve", "cve": "CVE-2016-5636"}, {"specs": ["<2.7.17", ">=3.0.0a0,<3.5.10", ">=3.6.0a0,<3.6.10", ">=3.7.0a0,<3.7.5"], "advisory": "Python versions 2.7.17, 3.5.10, 3.6.10 and 3.7.5 include a fix for CVE-2019-16935: The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.\r\nhttps://bugs.python.org/issue38243", "transitive": false, "more_info_path": "/v/45681/f17", "id": "pyup.io-45681", "type": "cve", "cve": "CVE-2019-16935"}, {"specs": ["<2.7.16"], "advisory": "Python 2.7.16 includes a fix for CVE-2018-1000802: Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service or Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function.\r\nhttps://bugs.python.org/issue34540", "transitive": false, "more_info_path": "/v/45646/f17", "id": "pyup.io-45646", "type": "cve", "cve": "CVE-2018-1000802"}, {"specs": ["<3.6.13", ">=3.7.0a0,<3.7.10", ">=3.8.0a0,<3.8.7", ">=3.9.0a0,<3.9.2", ">=3.10.0a0,<3.10.0a4"], "advisory": "Python versions 3.6.13, 3.7.10, 3.8.7, 3.9.2 and 3.10.0a4 use CRYPTO_memcmp() for compare_digest to try harder to be constant-time.\r\nhttps://bugs.python.org/issue40791", "transitive": false, "more_info_path": "/v/45702/f17", "id": "pyup.io-45702", "type": "pve", "cve": "PVE-2021-42385"}, {"specs": ["<3.6.10", ">=3.7.0a0,<3.7.6", ">=3.8.0a0,<3.8.1"], "advisory": "Python versions 3.6.10, 3.7.6 and 3.8.1 fix loop.create_datagram_endpoint()'s usage of SO_REUSEADDR that allowed by default multiple processes to bind the same port.\r\nhttps://bugs.python.org/issue37228", "transitive": false, "more_info_path": "/v/45700/f17", "id": "pyup.io-45700", "type": "pve", "cve": "PVE-2021-42387"}, {"specs": ["<2.7.16", ">=3.3.0a0,<3.3.6", ">=3.4.0a0,<3.4.2", ">=3.0.0a0,<3.2.6"], "advisory": "Python versions 2.7.16, 3.2.6, 3.3.6 and 3.4.2 limit imaplib.IMAP4_SSL.readline() to avoid DoS. This issue was initially assigned a CVE but it was rejected due to the patch not working for some OSes (now fixed). See CVE-2013-1752.\r\nhttps://bugs.python.org/issue16039", "transitive": false, "more_info_path": "/v/45676/f17", "id": "pyup.io-45676", "type": "cve", "cve": "CVE-2013-1752"}, {"specs": [">=2.6.0a0,<2.7.3", ">=3.0.0a0,<3.3"], "advisory": "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file. See CVE-2011-4944.", "transitive": false, "more_info_path": "/v/45644/f17", "id": "pyup.io-45644", "type": "cve", "cve": "CVE-2011-4944"}, {"specs": ["<2.5.3"], "advisory": "Multiple integer overflows in imageop.c in Python before 2.5.3 allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows. NOTE: this issue is due to an incomplete fix for CVE-2007-4965.", "transitive": false, "more_info_path": "/v/45625/f17", "id": "pyup.io-45625", "type": "cve", "cve": "CVE-2008-1679"}, {"specs": ["<2.6"], "advisory": "Multiple buffer overflows in the RLE decoder in the rgbimg module in Python 2.5 allow remote attackers to have an unspecified impact via an image file containing crafted data that triggers improper processing within the (1) longimagedata or (2) expandrow function. See CVE-2010-1450.", "transitive": false, "more_info_path": "/v/45624/f17", "id": "pyup.io-45624", "type": "cve", "cve": "CVE-2010-1450"}, {"specs": ["<2.7.16", ">=3.0.0a0,<3.4.10", ">=3.5.0a0,<3.5.7", ">=3.6.0a0,<3.6.9", ">=3.7.0a0,<3.7.3"], "advisory": "Python versions 2.7.16, 3.4.10, 3.5.7, 3.6.9 and 3.7.3 include a fix for CVE-2019-5010: An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.\r\nhttps://bugs.python.org/issue35746", "transitive": false, "more_info_path": "/v/45680/f17", "id": "pyup.io-45680", "type": "cve", "cve": "CVE-2019-5010"}, {"specs": [">=3.8.0a0,<3.8.0", ">=3.7.0a0,<3.7.4"], "advisory": "Python versions 3.7.4 and 3.8.0 includes a fix for ssl.match_hostname() ignoring extra strings after whitespace in IPv4 address.\r\nhttps://python-security.readthedocs.io/vuln/ssl-match_hostname-ipv4-trailing.html", "transitive": false, "more_info_path": "/v/45707/f17", "id": "pyup.io-45707", "type": "pve", "cve": "PVE-2021-42391"}, {"specs": ["<3.6.7", ">=3.7.0a0,<3.7.1"], "advisory": "Python versions 3.6.7 and 3.7.1 disable external entities in SAX parser to patch XML vulnerabilities.\r\nhttps://bugs.python.org/issue17239", "transitive": false, "more_info_path": "/v/45706/f17", "id": "pyup.io-45706", "type": "pve", "cve": "PVE-2021-42398"}, {"specs": ["<2.6"], "advisory": "Integer overflow in rgbimgmodule.c in the rgbimg module in Python 2.5 allows remote attackers to have an unspecified impact via a large image that triggers a buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-3143.12.", "transitive": false, "more_info_path": "/v/45616/f17", "id": "pyup.io-45616", "type": "cve", "cve": "CVE-2010-1449"}, {"specs": ["<2.6"], "advisory": "Buffer underflow in the rgbimg module in Python 2.5 allows remote attackers to cause a denial of service (application crash) via a large ZSIZE value in a black-and-white (aka B/W) RGB image that triggers an invalid pointer dereference. See CVE-2009-4134.", "transitive": false, "more_info_path": "/v/45605/f17", "id": "pyup.io-45605", "type": "cve", "cve": "CVE-2009-4134"}, {"specs": [">0"], "advisory": "In difflib module, table header in output of difflib.HtmlDiff.make_table is not escaped and can be rendered as code in the browser, leading potentially to XSS.\r\nhttps://bugs.python.org/issue35603\r\nhttps://github.com/python/cpython/commit/44e36e80456dabaeb59c6e2a93e0c1322bfeb179", "transitive": false, "more_info_path": "/v/45612/f17", "id": "pyup.io-45612", "type": "pve", "cve": "PVE-2021-42393"}, {"specs": ["<2.7.15", ">=3.0.0a0,<3.4.9", ">=3.5.0a0,<3.5.6rc1", ">=3.6.0a0,<3.6.5rc1", ">=3.7.0a0,<3.7.0"], "advisory": "Python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.", "transitive": false, "more_info_path": "/v/45654/f17", "id": "pyup.io-45654", "type": "cve", "cve": "CVE-2018-1060"}, {"specs": [">=2.7,<2.7.3", ">=3.0,<3.1.5", ">=3.2,<3.2.3", "<2.6.8"], "advisory": "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. See CVE-2012-1150.", "transitive": false, "more_info_path": "/v/45652/f17", "id": "pyup.io-45652", "type": "cve", "cve": "CVE-2012-1150"}, {"specs": [">=3.0.0a0,<3.3.4rc1"], "advisory": "Python 3.3.4rc1 includes a fix for CVE-2013-7338: Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.\r\nhttps://bugs.python.org/issue20078", "transitive": false, "more_info_path": "/v/45649/f17", "id": "pyup.io-45649", "type": "cve", "cve": "CVE-2013-7338"}, {"specs": [">=3.7.0a0,<3.7.0b3"], "advisory": "Python version 3.7.0b3 hardens ssl module against CVE-2018-8970.\r\nhttps://bugs.python.org/issue33136", "transitive": false, "more_info_path": "/v/45658/f17", "id": "pyup.io-45658", "type": "cve", "cve": "CVE-2018-8970"}, {"specs": ["<2.5.5", ">=2.6.0a0,<2.6.4", ">=3.0.0a0,<3.1"], "advisory": "Python versions 2.5.5, 2.6.4 and 3.1 include a fix for CVE-2011-1015: The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI.\r\nhttps://bugs.python.org/issue2254", "transitive": false, "more_info_path": "/v/45660/f17", "id": "pyup.io-45660", "type": "cve", "cve": "CVE-2011-1015"}, {"specs": ["<2.6.9", ">=2.7.0a0,<2.7.7", ">=3.2.0a0,<3.2.6", ">=3.3.0a0,<3.3.6", ">=3.4.0a0,<3.4.1"], "advisory": "Python versions 2.6.9, 2.7.7, 3.2.6, 3.3.6 and 3.4.1 include a fix for CVE-2013-4238: The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.\r\nhttps://bugs.python.org/issue18709", "transitive": false, "more_info_path": "/v/45663/f17", "id": "pyup.io-45663", "type": "cve", "cve": "CVE-2013-4238"}, {"specs": ["<2.7.16", ">=3.0.0a0,<3.4.10", ">=3.5.0a0,<3.5.7", ">=3.6.0a0,<3.6.7", ">=3.7.0a0,<3.7.1"], "advisory": "Python versions 2.7.16, 3.4.10, 3.5.7, 3.6.7 and 3.7.1 include a fix for CVE-2018-14647: Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM.\r\nhttps://bugs.python.org/issue34623", "transitive": false, "more_info_path": "/v/45677/f17", "id": "pyup.io-45677", "type": "cve", "cve": "CVE-2018-14647"}, {"specs": ["<2.7.7", ">=3.0.0a0,<3.2.6", ">=3.3.0a0,<3.3.6", ">=3.4.0a0,<3.4.2", ">=3.5.0a0,<3.5.0"], "advisory": "Python versions 2.7.7, 3.2.6, 3.3.6, 3.4.2 and 3.5.0 include a fix for CVE-2014-4616: Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.\r\nhttps://bugs.python.org/issue21529", "transitive": false, "more_info_path": "/v/45689/f17", "id": "pyup.io-45689", "type": "cve", "cve": "CVE-2014-4616"}, {"specs": ["<2.7.9", ">=3.2.0a0,<3.2.6", ">=3.3.0a0,<3.3.6", ">=3.4.0a0,<3.4.3"], "advisory": "Python versions 2.7.9, 3.2.6, 3.3.6 and 3.4.3 include a fix for CVE-2013-1753: The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.\r\nhttps://bugs.python.org/issue16043", "transitive": false, "more_info_path": "/v/45692/f17", "id": "pyup.io-45692", "type": "cve", "cve": "CVE-2013-1753"}, {"specs": [">=3.0.0a0,<3.4.10", ">=3.5.0a0,<3.5.7", ">=3.6.0a0,<3.6.7", ">=3.7.0a0,<3.7.1"], "advisory": "Python versions 3.4.10, 3.5.7, 3.6.7 and 3.7.1 include a fix for CVE-2018-20406: Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a \"resize to twice the size\" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data.\r\nhttps://bugs.python.org/issue34656", "transitive": false, "more_info_path": "/v/45695/f17", "id": "pyup.io-45695", "type": "cve", "cve": "CVE-2018-20406"}, {"specs": [">=3.2.0a0,<3.2.5", ">=3.3.0a0,<3.3.6", ">=3.4.0a0,<3.4.2", ">=3.5.0a0,<3.5.0"], "advisory": "Python versions 3.2.5, 3.3.6, 3.4.2 and 3.5.0 include a fix for CVE-2014-2667: Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.\r\nhttps://bugs.python.org/issue21082", "transitive": false, "more_info_path": "/v/45694/f17", "id": "pyup.io-45694", "type": "cve", "cve": "CVE-2014-2667"}, {"specs": ["<3.5.10", ">=3.6.0a0,<3.6.11", ">=3.7.0a0,<3.7.8", ">=3.8.0a0,<3.8.4", ">=3.9.0a0,<3.9.0a6"], "advisory": "Python versions 3.9.0a6, 3.8.4, 3.7.8, 3.6.11, and 3.5.10 disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.\r\nhttps://bugs.python.org/issue39073", "transitive": false, "more_info_path": "/v/45709/f17", "id": "pyup.io-45709", "type": "pve", "cve": "PVE-2021-42386"}, {"specs": [">=3.1,<3.4"], "advisory": "The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.", "transitive": false, "more_info_path": "/v/45722/f17", "id": "pyup.io-45722", "type": "cve", "cve": "CVE-2012-2135"}, {"specs": ["<2.17.14"], "advisory": "A vulnerability classified as problematic was found in Python 2.7.13. This vulnerability affects unknown code of the component pgAdmin4. The manipulation leads to uncontrolled search path. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.", "transitive": false, "more_info_path": "/v/49455/f17", "id": "pyup.io-49455", "type": "cve", "cve": "CVE-2017-20052"}, {"specs": ["<2.5.2"], "advisory": "Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.", "transitive": false, "more_info_path": "/v/45618/f17", "id": "pyup.io-45618", "type": "cve", "cve": "CVE-2008-1721"}, {"specs": [">=3.0.0a0,<3.6.13", ">=3.7.0a0,<3.7.10", ">=3.8.0a0,<3.8.7", ">=3.9.0a0,<3.9.1", ">=3.10.0a0,<3.10.0a2"], "advisory": "Python 3.6.13, 3.7.10, 3.8.7, 3.9.1 and 3.10.0a2 include a fix for CVE-2020-27619: In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.\r\nhttps://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html", "transitive": false, "more_info_path": "/v/45701/f17", "id": "pyup.io-45701", "type": "cve", "cve": "CVE-2020-27619"}, {"specs": ["<2.7.8", ">=3.0.0a0,<3.2.6", ">=3.3.0a0,<3.3.6", ">=3.4.0a0,<3.4.2"], "advisory": "Python versions 2.7.8, 3.2.6, 3.3.6 and 3.4.2 include a fix for CVE-2014-4650: The CGIHTTPServer module in Python 2.7.5 and 3.3.4 (possible in others too) does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.\r\nhttps://bugs.python.org/issue21766", "transitive": false, "more_info_path": "/v/45690/f17", "id": "pyup.io-45690", "type": "cve", "cve": "CVE-2014-4650"}, {"specs": ["<2.7.14", ">=3.5.0a0,<3.5.5", ">=3.0.0a0,<3.4.8"], "advisory": "Python versions 2.7.14, 3.4.8 and 3.5.5 include a fix for CVE-2017-1000158: Integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution).\r\nhttps://bugs.python.org/issue30657", "transitive": false, "more_info_path": "/v/45675/f17", "id": "pyup.io-45675", "type": "cve", "cve": "CVE-2017-1000158"}, {"specs": ["<3.9.16", ">=3.10.0a0,<3.10.9", ">=3.11.0a0,<3.11.0"], "advisory": "Python 3.9.16, 3.10.9 and 3.11.0 include a fix for CVE-2022-42919: Python 3.9.x and 3.10.x through 3.10.8 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.\r\nhttps://github.com/python/cpython/issues/97514", "transitive": false, "more_info_path": "/v/51714/f17", "id": "pyup.io-51714", "type": "cve", "cve": "CVE-2022-42919"}, {"specs": ["<2.7.17", ">=3.0.0a0,<3.5.8", ">=3.6.0a0,<3.6.9", ">=3.7.0a0,<3.7.4"], "advisory": "Python versions 2.7.17, 3.5.8, 3.6.9 and 3.7.4 include a fix for CVE-2019-9947: An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.\r\nhttps://bugs.python.org/issue35906", "transitive": false, "more_info_path": "/v/45686/f17", "id": "pyup.io-45686", "type": "cve", "cve": "CVE-2019-9947"}, {"specs": ["<2.7.17", ">=3.0.0a0,<3.5.8", ">=3.6.0a0,<3.6.9", ">=3.7.0a0,<3.7.4"], "advisory": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.", "transitive": false, "more_info_path": "/v/45685/f17", "id": "pyup.io-45685", "type": "cve", "cve": "CVE-2019-9740"}, {"specs": ["<2.6.6", ">=2.7.0a0,<2.7.0", ">=3.0.0a0,<3.1.3", ">=3.2.0a0,<3.2.0"], "advisory": "Python versions 2.6.6, 2.7.0, 3.1.3 and 3.2.0 include a fix for CVE-2010-1634: The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.\r\nhttps://bugs.python.org/issue7673", "transitive": false, "more_info_path": "/v/45662/f17", "id": "pyup.io-45662", "type": "cve", "cve": "CVE-2010-2089"}, {"specs": ["<2.7.17", ">=3.0.0a0,<3.5.7", ">=3.6.0a0,<3.6.9", ">=3.7.0a0,<3.7.3"], "advisory": "Python versions 2.7.17, 3.5.7, 3.6.9 and 3.7.3 include a fix for CVE-2019-9636: Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is information disclosure (credentials, cookies, etc. that are cached against a given hostname). The affected components are urllib.parse.urlsplit and urllib.parse.urlparse. The attack vector is a specially crafted URL that could be incorrectly parsed to locate cookies or authentication data and send that information to a different host.\r\nhttps://bugs.python.org/issue36216", "transitive": false, "more_info_path": "/v/45682/f17", "id": "pyup.io-45682", "type": "cve", "cve": "CVE-2019-9636"}, {"specs": ["<2.7.2", ">=3.0.0a0,<3.2.1"], "advisory": "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs. See CVE-2011-1521.", "transitive": false, "more_info_path": "/v/45721/f17", "id": "pyup.io-45721", "type": "cve", "cve": "CVE-2011-1521"}, {"specs": [">=3.7.0,<3.7.10", ">=3.8.0,<3.8.8", ">=3.9.0,<3.9.2", "<3.6.13"], "advisory": "Python versions 3.6.13, 3.7.10, 3.8.8 and 3.9.2 include a fix for CVE-2021-23336: The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.\r\nhttps://bugs.python.org/issue42967\r\nhttps://github.com/python/cpython/pull/24297", "transitive": false, "more_info_path": "/v/45719/f17", "id": "pyup.io-45719", "type": "cve", "cve": "CVE-2021-23336"}, {"specs": [">=2.7,<2.7.3", ">=3.2,<3.2.3", ">=3.1,<3.1.5", "<2.6.8"], "advisory": "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header. See CVE-2012-0845.", "transitive": false, "more_info_path": "/v/45710/f17", "id": "pyup.io-45710", "type": "cve", "cve": "CVE-2012-0845"}, {"specs": ["<3.6.10", ">=3.7.0a0,<3.7.5", ">=3.8.0a0,<3.8.0"], "advisory": "Python versions 3.6.10, 3.7.5 and 3.8.0 fix an infinite loop with short maximum line lengths in EmailPolicy.\r\nhttps://bugs.python.org/issue36564", "transitive": false, "more_info_path": "/v/45699/f17", "id": "pyup.io-45699", "type": "pve", "cve": "PVE-2021-42390"}, {"specs": [">=3.3.0a0,<3.3.3", "<3.2.6"], "advisory": "Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.", "transitive": false, "more_info_path": "/v/45693/f17", "id": "pyup.io-45693", "type": "cve", "cve": "CVE-2013-2099"}, {"specs": ["<2.7.9", ">=3.0.0a0,<3.4.3"], "advisory": "Python versions 2.7.9 and 3.4.3 include a fix for CVE-2014-9365: The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.\r\nhttps://bugs.python.org/issue22417", "transitive": false, "more_info_path": "/v/45691/f17", "id": "pyup.io-45691", "type": "cve", "cve": "CVE-2014-9365"}, {"specs": ["<2.7.7", ">=3.0.0a0,<3.1.5", ">=3.2.0a0,<3.2.6", ">=3.3.0a0,<3.3.4", ">=3.4.0a0,<3.4.0"], "advisory": "Python versions 2.7.7, 3.1.5, 3.2.6, 3.3.4 and 3.4.0 include a fix for CVE-2014-1912: Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.\r\nhttps://bugs.python.org/issue20246", "transitive": false, "more_info_path": "/v/45688/f17", "id": "pyup.io-45688", "type": "cve", "cve": "CVE-2014-1912"}, {"specs": ["<2.7.3", ">=3.0.0a0,<3.1.5"], "advisory": "Python versions 2.7.3 and 3.1.5 include a fix for CVE-2010-3492: The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.\r\nhttps://bugs.python.org/issue6706", "transitive": false, "more_info_path": "/v/45687/f17", "id": "pyup.io-45687", "type": "cve", "cve": "CVE-2010-3492"}, {"specs": ["<3.6.15", ">=3.7.0a0,<3.7.12", ">=3.8.0a0,<3.8.12", ">=3.9.0a0,<3.9.7", ">=3.10.0a0,<3.10.0rc2"], "advisory": "Python versions 3.6.15, 3.7.12, 3.8.12, 3.9.7 and 3.10.0rc2 fix multiple CRLF injection vulnerabilities in smtplib.\r\nhttps://bugs.python.org/issue43124", "transitive": false, "more_info_path": "/v/45705/f17", "id": "pyup.io-45705", "type": "pve", "cve": "PVE-2021-42379"}, {"specs": ["<2.7.12", ">=3.0,<3.4.5", ">=3.5,<3.5.2"], "advisory": "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\" See CVE-2016-0772.", "transitive": false, "more_info_path": "/v/45720/f17", "id": "pyup.io-45720", "type": "cve", "cve": "CVE-2016-0772"}, {"specs": ["<2.7.16", ">=3.0.0a0,<3.4.10", ">=3.5.0a0,<3.5.7", ">=3.6.0a0,<3.6.9", ">=3.7.0a0,<3.7.3"], "advisory": "Python versions 2.7.16, 3.4.10, 3.5.7, 3.6.9 and 3.7.3 include a fix for CVE-2018-20852: http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker.\r\nhttps://bugs.python.org/issue35121", "transitive": false, "more_info_path": "/v/45679/f17", "id": "pyup.io-45679", "type": "cve", "cve": "CVE-2018-20852"}, {"specs": ["<2.7.14", ">=3.0.0a0,<3.4.7", ">=3.5.0a0,<3.5.4"], "advisory": "Python versions 2.7.14, 3.4.7 and 3.5.4 update its dependency 'zlib' to v1.2.11 to include security fixes.\r\nhttps://bugs.python.org/issue29169", "transitive": true, "more_info_path": "/v/45673/f17", "id": "pyup.io-45673", "type": "cve", "cve": "CVE-2016-9841"}, {"specs": ["<2.7.14", ">=3.0.0a0,<3.3.7", ">=3.4.0a0,<3.4.7", ">=3.5.0a0,<3.5.4", ">=3.6.0a0,<3.6.3"], "advisory": "Python versions 2.7.14, 3.3.7, 3.4.7, 3.5.4 and 3.6.3 fix ftplib.FTP.putline() to throw an error for a illegal command, as a remote attacker could attack by using newline characters. This issue is similar to CVE-2017-3533.\r\nhttps://bugs.python.org/issue30119", "transitive": false, "more_info_path": "/v/45671/f17", "id": "pyup.io-45671", "type": "pve", "cve": "PVE-2021-42403"}, {"specs": ["<2.7.13", ">=3.0.0a0,<3.3.7", ">=3.4.0a0,<3.4.6", ">=3.5.0a0,<3.5.3"], "advisory": "Python versions 2.7.13, 3.3.7, 3.4.6 and 3.5.3 include a fix for CVE-2016-1000110: The CGIHandler class in Python does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.\r\nhttps://bugs.python.org/issue27568", "transitive": false, "more_info_path": "/v/45666/f17", "id": "pyup.io-45666", "type": "cve", "cve": "CVE-2016-1000110"}, {"specs": ["<2.7.13", ">=3.0.0a0,<3.3.7", ">=3.4.0a0,<3.4.6", ">=3.5.0a0,<3.5.3"], "advisory": "Python versions 2.7.13, 3.3.7, 3.4.6 and 3.5.3 fix an arbitrary code execution in gettext.c2py().\r\nhttps://python-security.readthedocs.io/vuln/gettext-c2py.html", "transitive": false, "more_info_path": "/v/45665/f17", "id": "pyup.io-45665", "type": "pve", "cve": "PVE-2021-42408"}, {"specs": ["<2.4.6", ">=2.5.0a0,<2.5.2"], "advisory": "Python versions 2.4.6 and 2.5.2 include a fix for CVE-2008-5031: Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.\r\nhttps://bugs.python.org/issue4469", "transitive": false, "more_info_path": "/v/45659/f17", "id": "pyup.io-45659", "type": "cve", "cve": "CVE-2008-5031"}, {"specs": ["<2.7.9", ">=3.0.0a0,<3.3.3"], "advisory": "Python version 2.7.9 and 3.3.3 include a fix for CVE-2013-7440: The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.\r\nhttps://bugs.python.org/issue17997", "transitive": false, "more_info_path": "/v/45656/f17", "id": "pyup.io-45656", "type": "cve", "cve": "CVE-2013-7440"}, {"specs": ["<2.6.7", ">=2.7.0a0,<2.7.2", ">=3.0.0a0,<3.1.4", ">=3.2.0a0,<3.2.0"], "advisory": "Python version 2.6.7, 2.7.2, 3.1.4 and 3.2.0 include a fix for CVE-2010-3493: Multiple race conditions in smtpd.py in the smtpd module in Python 2.6, 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function having an ENOTCONN error, a related issue to CVE-2010-3492.\r\nhttps://bugs.python.org/issue9129", "transitive": false, "more_info_path": "/v/45655/f17", "id": "pyup.io-45655", "type": "cve", "cve": "CVE-2010-3493"}, {"specs": ["<2.7.15", ">=3.0.0a0,<3.4.9", ">=3.5.0a0,<3.5.6", ">=3.6.0a0,<3.6.5", ">=3.7.0a0,<3.7.0"], "advisory": "Python before versions 2.7.15, 3.4.9, 3.5.6, 3.6.5 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service. See CVE-2018-1061.\r\nhttps://bugs.python.org/issue32981", "transitive": false, "more_info_path": "/v/45653/f17", "id": "pyup.io-45653", "type": "cve", "cve": "CVE-2018-1061"}, {"specs": ["<2.7.8"], "advisory": "Python 2.7.8 includes a fix for CVE-2014-7185: Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a \"buffer\" function.\r\nhttps://bugs.python.org/issue21831", "transitive": false, "more_info_path": "/v/45648/f17", "id": "pyup.io-45648", "type": "cve", "cve": "CVE-2014-7185"}, {"specs": ["<2.7.18rc1", ">=3.0.0a0,<3.5.10rc1", ">=3.6.0a0,<3.6.11rc1", ">=3.7.0a0,<3.7.8rc1", ">=3.8.0a0,<3.8.3rc1"], "advisory": "Python 2.7.18rc1, 3.5.10rc1, 3.6.11rc1, 3.7.8rc1 and 3.8.3rc1 include a fix for CVE-2019-18348: An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.).\r\nhttps://bugs.python.org/issue30458#msg347282", "transitive": false, "more_info_path": "/v/45647/f17", "id": "pyup.io-45647", "type": "cve", "cve": "CVE-2019-18348"}, {"specs": ["<2.7.15"], "advisory": "Python 2.7.15 includes a fix for CVE-2018-1000030: Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.\r\nhttps://bugs.python.org/issue31530", "transitive": false, "more_info_path": "/v/45645/f17", "id": "pyup.io-45645", "type": "cve", "cve": "CVE-2018-1000030"}, {"specs": ["<2.7.14", ">=3.0.0a0,<3.3.7", ">=3.4.0a0,<3.4.7", ">=3.5.0a0,<3.5.4", ">=3.6.0a0,<3.6.2"], "advisory": "Python versions 2.7.14, 3.3.7, 3.4.7, 3.5.4 and 3.6.2 update modules/expat to libexpat 2.2.1 to include security fixes.\r\nhttps://bugs.python.org/issue29591", "transitive": true, "more_info_path": "/v/45668/f17", "id": "pyup.io-45668", "type": "cve", "cve": "CVE-2016-4472"}, {"specs": ["<2.7.14", ">=3.0.0a0,<3.3.7", ">=3.4.0a0,<3.4.7", ">=3.5.0a0,<3.5.4", ">=3.6.0a0,<3.6.2"], "advisory": "Python versions 2.7.14, 3.3.7, 3.4.7, 3.5.4 and 3.6.2 update modules/expat to libexpat 2.2.1 to include security fixes.\r\nhttps://bugs.python.org/issue29591", "transitive": true, "more_info_path": "/v/45667/f17", "id": "pyup.io-45667", "type": "cve", "cve": "CVE-2016-0718"}, {"specs": ["<2.7.16", ">=3.0.0a0,<3.4.10", ">=3.5.0a0,<3.5.7", ">=3.6.0a0,<3.6.7", ">=3.7.0a0,<3.7.1", ">=3.8.0a0,<3.8.0"], "advisory": "Python versions 2.7.16, 3.4.10, 3.5.7, 3.6.7, 3.7.1 and 3.8.0 include a fix for CVE-2019-17514: Library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated \"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\" one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.\r\nhttps://bugs.python.org/issue33275\r\nhttps://www.vice.com/en/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies", "transitive": false, "more_info_path": "/v/45678/f17", "id": "pyup.io-45678", "type": "cve", "cve": "CVE-2019-17514"}, {"specs": ["<3.4.0"], "advisory": "Python version 3.4 includes a fix for CVE-2013-7040: Python before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.\r\nhttps://bugs.python.org/issue14621", "transitive": false, "more_info_path": "/v/45657/f17", "id": "pyup.io-45657", "type": "cve", "cve": "CVE-2013-7040"}, {"specs": ["<2.7.17", ">=3.0.0a0,<3.5.8", ">=3.6.0a0,<3.6.10", ">=3.7.0a0,<3.7.5"], "advisory": "Python versions 2.7.17, 3.5.8, 3.6.10 and 3.7.5 include a fix for CVE-2019-9948: Urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. The issue was also found to be present in Python 3 when using URLopener class.\r\nhttps://bugs.python.org/issue35907", "transitive": false, "more_info_path": "/v/45684/f17", "id": "pyup.io-45684", "type": "cve", "cve": "CVE-2019-9948"}, {"specs": ["<2.7.14", ">=3.0.0a0,<3.4.7", ">=3.5.0a0,<3.5.4"], "advisory": "Python versions 2.7.14, 3.4.7 and 3.5.4 update its dependency 'zlib' to v1.2.11 to include security fixes.\r\nhttps://bugs.python.org/issue29169", "transitive": true, "more_info_path": "/v/45672/f17", "id": "pyup.io-45672", "type": "cve", "cve": "CVE-2016-9840"}, {"specs": ["<2.5.2"], "advisory": "Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.", "transitive": false, "more_info_path": "/v/45643/f17", "id": "pyup.io-45643", "type": "cve", "cve": "CVE-2008-1887"}, {"specs": ["<3.7.14", ">=3.8.0a0,<3.8.14", ">=3.9.0a0,<3.9.14", ">=3.10.0a0,<3.10.7", ">=3.11.0a0,<3.11.0rc1"], "advisory": "A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(\"text\"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.", "transitive": false, "more_info_path": "/v/50958/f17", "id": "pyup.io-50958", "type": "cve", "cve": "CVE-2020-10735"}, {"specs": ["<3.7.16", ">=3.8.0a0,<3.8.16", ">=3.9.0a0,<3.9.16", ">=3.10.0a0,<3.10.9"], "advisory": "Python 3.7.16, 3.8.16, 3.9.16 and 3.10.9 include a fix for CVE-2022-37454: Buffer overflow in the _sha3 module.\r\nhttps://python-security.readthedocs.io/vuln/sha3-buffer-overflow.html", "transitive": false, "more_info_path": "/v/51647/f17", "id": "pyup.io-51647", "type": "cve", "cve": "CVE-2022-37454"}, {"specs": ["<2.7.10", ">=3.0.0a0,<3.3.7", ">=3.4.0a0,<3.4.4"], "advisory": "Python versions 2.7.10, 3.3.7 and 3.4.4 include a fix for CVE-2016-5699: CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.\r\nhttps://bugs.python.org/issue22928", "transitive": false, "more_info_path": "/v/45664/f17", "id": "pyup.io-45664", "type": "cve", "cve": "CVE-2016-5699"}, {"specs": ["<3.6.14", ">=3.7.0a0,<3.7.11", ">=3.8.0a0,<3.8.11", ">=3.9.0a0,<3.9.5", ">=3.10.0a0,<3.10.0b1"], "advisory": "Python versions 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14 include a fix for CVE-2022-0391: A flaw was found in Python, specifically within the urllib.parse module. The issue involves how the urlparse method does not sanitize input and allows characters like '\\r' and '\\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks.\r\nhttps://bugs.python.org/issue43882", "transitive": false, "more_info_path": "/v/45247/f17", "id": "pyup.io-45247", "type": "cve", "cve": "CVE-2022-0391"}, {"specs": [">=3.10.0a0,<3.10.0", ">=3.9.0a0,<3.9.5", ">=3.8.0a0,<3.8.12"], "advisory": "Python 3.8.12, 3.9.5 and 3.10.0 include a fix for CVE-2021-29921: In Python before 3.9.5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.\r\nhttps://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html", "transitive": false, "more_info_path": "/v/45614/f17", "id": "pyup.io-45614", "type": "cve", "cve": "CVE-2021-29921"}, {"specs": [">=3.5.0a0,<3.5.3", "<3.4.7"], "advisory": "Python 3.4.7 and 3.5.3 remove 3DES from SSL default ciphers list, as it is vulnerable to CVE-2016-2183: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.\r\nhttps://github.com/vstinner/cpython/commit/03d13c0cbfe912eb0f9b9a02987b9e569f25fe19", "transitive": false, "more_info_path": "/v/45716/f17", "id": "pyup.io-45716", "type": "cve", "cve": "CVE-2016-2183"}, {"specs": ["<2.7.17", ">=3.0.0a0,<3.5.8", ">=3.6.0a0,<3.6.10", ">=3.7.0a0,<3.7.4", ">=3.8.0a0,<3.8.0b2"], "advisory": "Python versions 3.8.0b2, 3.7.4, 3.6.10, 3.5.8 and 2.7.17 include a fix for CVE-2019-10160: A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.\r\nhttps://bugs.python.org/issue36742", "transitive": false, "more_info_path": "/v/45708/f17", "id": "pyup.io-45708", "type": "cve", "cve": "CVE-2019-10160"}, {"specs": [">0"], "advisory": "Lib/zipfile.py in Python allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.\r\nhttps://bugs.python.org/issue36260", "transitive": false, "more_info_path": "/v/45621/f17", "id": "pyup.io-45621", "type": "cve", "cve": "CVE-2019-9674"}, {"specs": ["<2.6.6", ">=2.7.0a0,<2.7.0", ">=3.0.0a0,<3.1.3", ">=3.2.0a0,<3.2.0"], "advisory": "Python versions 2.6.6, 2.7.0, 3.1.3 and 3.2.0 include a fix for CVE-2010-1634: Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.\r\nhttps://bugs.python.org/issue8674", "transitive": false, "more_info_path": "/v/45661/f17", "id": "pyup.io-45661", "type": "cve", "cve": "CVE-2010-1634"}, {"specs": ["<3.7.13", ">=3.8.0a0,<3.8.13", ">=3.9.0a0,<3.9.11", ">=3.10.0a0,<3.10.3"], "advisory": "In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.", "transitive": false, "more_info_path": "/v/45817/f17", "id": "pyup.io-45817", "type": "cve", "cve": "CVE-2022-26488"}, {"specs": [">=3.11.0a0,<3.11.0b4", "<3.7.16", ">=3.8.0a0,<3.8.16", ">=3.9.0a0,<3.9.16", ">=3.10.0a0,<3.10.6"], "advisory": "Python 3.7.16, 3.8.16, 3.9.16, 3.10.6 and 3.11.0b4 include a fix for CVE-2015-20107: The mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).\r\nhttps://python-security.readthedocs.io/vuln/mailcap-shell-injection.html", "transitive": false, "more_info_path": "/v/48131/f17", "id": "pyup.io-48131", "type": "cve", "cve": "CVE-2015-20107"}, {"specs": ["<2.7.14", ">=3.0.0a0,<3.3.7", ">=3.4.0a0,<3.4.7", ">=3.5.0a0,<3.5.4", ">=3.6.0a0,<3.6.2"], "advisory": "Python versions 2.7.14, 3.3.7, 3.4.7, 3.5.4 and 3.6.2 update modules/expat to libexpat 2.2.1 to include security fixes.\r\nhttps://bugs.python.org/issue29591", "transitive": true, "more_info_path": "/v/45669/f17", "id": "pyup.io-45669", "type": "cve", "cve": "CVE-2016-5300"}, {"specs": ["<2.7.14", ">=3.0.0a0,<3.3.7", ">=3.4.0a0,<3.4.7", ">=3.5.0a0,<3.5.4", ">=3.6.0a0,<3.6.2"], "advisory": "Python versions 2.7.14, 3.3.7, 3.4.7, 3.5.4 and 3.6.2 update modules/expat to libexpat 2.2.1 to include security fixes.\r\nhttps://bugs.python.org/issue29591", "transitive": true, "more_info_path": "/v/45670/f17", "id": "pyup.io-45670", "type": "cve", "cve": "CVE-2012-6702"}, {"specs": ["<2.7.14", ">=3.0.0a0,<3.4.7", ">=3.5.0a0,<3.5.4"], "advisory": "Python versions 2.7.14, 3.4.7 and 3.5.4 update its dependency 'zlib' to v1.2.11 to include security fixes.\r\nhttps://bugs.python.org/issue29169", "transitive": true, "more_info_path": "/v/45674/f17", "id": "pyup.io-45674", "type": "cve", "cve": "CVE-2016-9842"}, {"specs": [">=3.6.0,<3.6.13", ">=3.7.0,<3.7.10", ">=3.8.0,<3.8.9", ">=3.9.0,<3.9.3", ">=3.10.0,<3.10.0a7"], "advisory": "Python versions 3.6.13, 3.7.10, 3.8.9, 3.9.3 and 3.10.0a7 include a fix for CVE-2021-3426: There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1935913\r\nhttps://bugs.python.org/issue42988", "transitive": false, "more_info_path": "/v/45723/f17", "id": "pyup.io-45723", "type": "cve", "cve": "CVE-2021-3426"}, {"specs": ["<3.7.13", ">=3.8.0a0,<3.8.13", ">=3.9.0a0,<3.9.11", ">=3.10.0a0,<3.10.3"], "advisory": "Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.", "transitive": true, "more_info_path": "/v/51862/f17", "id": "pyup.io-51862", "type": "cve", "cve": "CVE-2022-25235"}, {"specs": ["<3.7.13", ">=3.8.0a0,<3.8.13", ">=3.9.0a0,<3.9.11", ">=3.10.0a0,<3.10.3"], "advisory": "Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.", "transitive": true, "more_info_path": "/v/51864/f17", "id": "pyup.io-51864", "type": "cve", "cve": "CVE-2022-25236"}, {"specs": ["<3.7.13", ">=3.8.0a0,<3.8.13", ">=3.9.0a0,<3.9.11", ">=3.10.0a0,<3.10.3"], "advisory": "Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.", "transitive": true, "more_info_path": "/v/51872/f17", "id": "pyup.io-51872", "type": "cve", "cve": "CVE-2022-22822"}, {"specs": ["<3.7.13", ">=3.8.0a0,<3.8.13", ">=3.9.0a0,<3.9.11", ">=3.10.0a0,<3.10.3"], "advisory": "Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.", "transitive": true, "more_info_path": "/v/51860/f17", "id": "pyup.io-51860", "type": "cve", "cve": "CVE-2022-25314"}, {"specs": ["<3.7.13", ">=3.8.0a0,<3.8.13", ">=3.9.0a0,<3.9.11", ">=3.10.0a0,<3.10.3"], "advisory": "Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.", "transitive": true, "more_info_path": "/v/51869/f17", "id": "pyup.io-51869", "type": "cve", "cve": "CVE-2022-22825"}, {"specs": ["<2.6.6"], "advisory": "Python 2.6.6 includes a fix for CVE-2006-4980: Buffer overflow in the repr function in Python 2.3 through 2.6 before 20060822 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via crafted wide character UTF-32/UCS-4 strings to certain scripts.", "transitive": false, "more_info_path": "/v/54917/f17", "id": "pyup.io-54917", "type": "cve", "cve": "CVE-2006-4980"}, {"specs": ["<3.7.14", ">=3.8.0a0,<3.8.14", ">=3.9.0a0,<3.9.14", ">=3.10.0a0,<3.10.6"], "advisory": "Python 3.7.14, 3.8.14, 3.9.14 and 3.10.6 include a fix for CVE-2021-28861: Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. \r\nNOTE: this is disputed by a third party because the http.server.html documentation page states \"Warning: http.server is not recommended for production. It only implements basic security checks.\"", "transitive": false, "more_info_path": "/v/50732/f17", "id": "pyup.io-50732", "type": "cve", "cve": "CVE-2021-28861"}, {"specs": [">=3.0.0a0,<3.5.8", ">=3.6.0a0,<3.6.10", ">=3.7.0a0,<3.7.5", "<2.7.17"], "advisory": "Python versions 2.7.17, 3.5.8, 3.6.10 and 3.7.5 include a fix for CVE-2019-16056: An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.\r\nhttps://bugs.python.org/issue34155", "transitive": false, "more_info_path": "/v/45683/f17", "id": "pyup.io-45683", "type": "cve", "cve": "CVE-2019-16056"}, {"specs": ["<3.6.14", ">=3.7.0a0,<3.7.11", ">=3.8.0a0,<3.8.11", ">=3.9.0a0,<3.9.6", ">=3.10.0a0,<3.10.0b2"], "advisory": "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.", "transitive": false, "more_info_path": "/v/45703/f17", "id": "pyup.io-45703", "type": "cve", "cve": "CVE-2021-3737"}, {"specs": [">=2.6,<2.6.7", "<2.5.6c1", ">=2.7,<2.7.2", ">=3.0.0a0,<3.2.4", ">=3.3.0a0,<3.3.1"], "advisory": "Python 2.5.6c1, 2.6.7rc2, 2.7.2, 3.2.4 and 3.3.1 include a fix for CVE-2011-4940: The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.\r\nhttps://python-security.readthedocs.io/vuln/simplehttpserver-utf-7.html", "transitive": false, "more_info_path": "/v/45718/f17", "id": "pyup.io-45718", "type": "cve", "cve": "CVE-2011-4940"}, {"specs": ["<3.7.13", ">=3.8.0a0,<3.8.13", ">=3.9.0a0,<3.9.11", ">=3.10.0a0,<3.10.3"], "advisory": "Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.", "transitive": true, "more_info_path": "/v/51858/f17", "id": "pyup.io-51858", "type": "cve", "cve": "CVE-2022-25313"}, {"specs": ["<3.7.13", ">=3.8.0a0,<3.8.13", ">=3.9.0a0,<3.9.11", ">=3.10.0a0,<3.10.3"], "advisory": "Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.", "transitive": true, "more_info_path": "/v/51861/f17", "id": "pyup.io-51861", "type": "cve", "cve": "CVE-2022-25315"}, {"specs": ["<3.7.15", ">=3.8.0a0,<3.8.15", ">=3.9.0a0,<3.9.15", ">=3.10.0a0,<3.10.8"], "advisory": "Python 3.7.15, 3.8.15, 3.9.15 and 3.10.8 update bundled 'libexpat' version to v2.4.9 to include a security fix.", "transitive": true, "more_info_path": "/v/51863/f17", "id": "pyup.io-51863", "type": "cve", "cve": "CVE-2022-40674"}, {"specs": ["<3.7.13", ">=3.8.0a0,<3.8.13", ">=3.9.0a0,<3.9.11", ">=3.10.0a0,<3.10.3"], "advisory": "Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.", "transitive": true, "more_info_path": "/v/51865/f17", "id": "pyup.io-51865", "type": "cve", "cve": "CVE-2022-23990"}, {"specs": ["<3.7.13", ">=3.8.0a0,<3.8.13", ">=3.9.0a0,<3.9.11", ">=3.10.0a0,<3.10.3"], "advisory": "Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.", "transitive": true, "more_info_path": "/v/51866/f17", "id": "pyup.io-51866", "type": "cve", "cve": "CVE-2022-23852"}, {"specs": ["<3.7.13", ">=3.8.0a0,<3.8.13", ">=3.9.0a0,<3.9.11", ">=3.10.0a0,<3.10.3"], "advisory": "Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.", "transitive": true, "more_info_path": "/v/51867/f17", "id": "pyup.io-51867", "type": "cve", "cve": "CVE-2022-22827"}, {"specs": ["<3.7.13", ">=3.8.0a0,<3.8.13", ">=3.9.0a0,<3.9.11", ">=3.10.0a0,<3.10.3"], "advisory": "Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.", "transitive": true, "more_info_path": "/v/51868/f17", "id": "pyup.io-51868", "type": "cve", "cve": "CVE-2022-22826"}, {"specs": ["<3.7.13", ">=3.8.0a0,<3.8.13", ">=3.9.0a0,<3.9.11", ">=3.10.0a0,<3.10.3"], "advisory": "Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.", "transitive": true, "more_info_path": "/v/51870/f17", "id": "pyup.io-51870", "type": "cve", "cve": "CVE-2022-22824"}, {"specs": ["<3.7.13", ">=3.8.0a0,<3.8.13", ">=3.9.0a0,<3.9.11", ">=3.10.0a0,<3.10.3"], "advisory": "Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.", "transitive": true, "more_info_path": "/v/51871/f17", "id": "pyup.io-51871", "type": "cve", "cve": "CVE-2022-22823"}, {"specs": ["<3.7.13", ">=3.8.0a0,<3.8.13", ">=3.9.0a0,<3.9.11", ">=3.10.0a0,<3.10.3"], "advisory": "Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.", "transitive": true, "more_info_path": "/v/51873/f17", "id": "pyup.io-51873", "type": "cve", "cve": "CVE-2021-46143"}, {"specs": ["<3.7.13", ">=3.8.0a0,<3.8.13", ">=3.9.0a0,<3.9.11", ">=3.10.0a0,<3.10.3"], "advisory": "Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.", "transitive": true, "more_info_path": "/v/51874/f17", "id": "pyup.io-51874", "type": "cve", "cve": "CVE-2021-45960"}, {"specs": [">=3.7.0,<3.7.10", ">=3.8.0,<3.8.8", ">=3.9.0,<3.9.2", ">=3.0.0a0,<3.6.13"], "advisory": "Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.", "transitive": false, "more_info_path": "/v/45651/f17", "id": "pyup.io-45651", "type": "cve", "cve": "CVE-2021-3177"}, {"specs": ["<3.5.10", ">=3.6.0a0,<3.6.12", ">=3.7.0a0,<3.7.9", ">=3.8.0a0,<3.8.5", ">=3.9.0a0,<3.9.0b5"], "advisory": "http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.", "transitive": false, "more_info_path": "/v/45697/f17", "id": "pyup.io-45697", "type": "cve", "cve": "CVE-2020-26116"}, {"specs": ["<3.5.10", ">=3.6.0a0,<3.6.15", ">=3.7.0a0,<3.7.9", ">=3.8.0a0,<3.8.4"], "advisory": "In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.", "transitive": false, "more_info_path": "/v/45650/f17", "id": "pyup.io-45650", "type": "cve", "cve": "CVE-2019-20907"}, {"specs": [">=3.6.0a0,<3.6.11", ">=3.7.0a0,<3.7.7", ">=3.8.0a0,<3.8.2", ">=3.9.0a0,<3.9.0a6", "<2.7.17", ">=3.0.0a0,<3.5.10"], "advisory": "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.", "transitive": false, "more_info_path": "/v/45696/f17", "id": "pyup.io-45696", "type": "cve", "cve": "CVE-2020-8492"}, {"specs": ["<3.7.16", ">=3.8.0a0,<3.8.16", ">=3.9.0a0,<3.9.16", ">=3.10.0a0,<3.10.9", ">=3.11.0a0,<3.11.1"], "advisory": "Python 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16 include a fix for CVE-2022-45061: An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302.\r\nhttps://github.com/python/cpython/issues/98433\r\nhttps://python-security.readthedocs.io/vuln/slow-idna-large-strings.html", "transitive": false, "more_info_path": "/v/51789/f17", "id": "pyup.io-51789", "type": "cve", "cve": "CVE-2022-45061"}, {"specs": ["<3.6.14", ">=3.7.0a0,<3.7.11", ">=3.8.0a0,<3.8.9", ">=3.9.0a0,<3.9.3"], "advisory": "Python 3.6.14, 3.7.11, 3.8.9 and 3.9.3 include a fix for CVE-2021-4189: The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.\r\nhttps://python-security.readthedocs.io/vuln/ftplib-pasv.html", "transitive": false, "more_info_path": "/v/50765/f17", "id": "pyup.io-50765", "type": "cve", "cve": "CVE-2021-4189"}, {"specs": ["<3.11.3"], "advisory": "The e-mail module of Python 0 - 2.7.18, 3.x - 3.11 incorrectly parses e-mail addresses which contain a special character. This vulnerability allows attackers to send messages from e-mail addresses that would otherwise be rejected.\r\nhttps://github.com/python/cpython/issues/102988\r\nhttps://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", "transitive": false, "more_info_path": "/v/55080/f17", "id": "pyup.io-55080", "type": "cve", "cve": "CVE-2023-27043"}, {"specs": ["<3.11.1"], "advisory": "An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", "transitive": false, "more_info_path": "/v/53376/f17", "id": "pyup.io-53376", "type": "cve", "cve": "CVE-2023-24329"}, {"specs": ["<3.5.10rc1", ">=3.6.0a0,<3.6.12", ">=3.7.0a0,<3.7.9", ">=3.8.0a0,<3.8.4", ">=3.9.0a0,<3.9.0b4"], "advisory": "Python versions 3.5.10rc1, 3.6.12, 3.7.9, 3.8.4 and 3.9.0b4 include a fix for CVE-2020-14422: Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.\r\nhttps://bugs.python.org/issue41004", "transitive": false, "more_info_path": "/v/45698/f17", "id": "pyup.io-45698", "type": "cve", "cve": "CVE-2020-14422"}, {"specs": ["<3.6.14", ">=3.7.0a0,<3.7.11", ">=3.8.0a0,<3.8.10", ">=3.9.0a0,<3.9.5", ">=3.10.0a0,<3.10.0"], "advisory": "Python versions 3.6.14, 3.7.11, 3.8.10, 3.9.5 and 3.10.0 include a fix for CVE-2021-3733: There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client.\r\nhttps://python-security.readthedocs.io/vuln/urllib-basic-auth-regex2.html", "transitive": false, "more_info_path": "/v/45815/f17", "id": "pyup.io-45815", "type": "cve", "cve": "CVE-2021-3733"}], "configobj": [{"specs": [">=0"], "advisory": "All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\\((.*)\\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.", "transitive": false, "more_info_path": "/v/54843/f17", "id": "pyup.io-54843", "type": "cve", "cve": "CVE-2023-26112"}], "python-jwt": [{"specs": ["<1.0.0"], "advisory": "Python-jwt 1.0.0 includes fixes for a security vulnerability where 'alg=None' header could bypass signature verification.\r\nhttps://github.com/jpadilla/pyjwt/pull/109\r\nhttps://github.com/jpadilla/pyjwt/pull/110", "transitive": false, "more_info_path": "/v/42355/f17", "id": "pyup.io-42355", "type": "pve", "cve": "PVE-2021-42355"}, {"specs": ["<3.3.4"], "advisory": "Python-jwt 3.3.4 includes a fix for CVE-2022-39227: Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. There are no known workarounds.\r\nhttps://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp", "transitive": false, "more_info_path": "/v/51174/f17", "id": "pyup.io-51174", "type": "cve", "cve": "CVE-2022-39227"}], "smqtk-core": [{"specs": ["<0.18.2"], "advisory": "Smqtk-core 0.18.2 updates its dependency 'ipython' to v7.16.3 to include a security fix.", "transitive": true, "more_info_path": "/v/52540/f17", "id": "pyup.io-52540", "type": "cve", "cve": "CVE-2022-21699"}, {"specs": ["<0.18.2"], "advisory": "Smqtk-core 0.18.2 updates its dependency 'urllib3' to v1.26.5 to include a security fix.", "transitive": true, "more_info_path": "/v/52401/f17", "id": "pyup.io-52401", "type": "cve", "cve": "CVE-2021-33503"}], "py-swagger-ui": [{"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses versions of 'swagger-ui' (2.2.10, 3.52.0) with a known vulnerability: including remote OpenAPI definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances.\r\nhttps://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx", "transitive": true, "more_info_path": "/v/52699/f17", "id": "pyup.io-52699", "type": "cve", "cve": "CVE-2021-46708"}, {"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses versions of 'swagger-ui' (2.2.10, 3.52.0) with potential transitive vulnerabilities.\r\nhttps://github.com/swagger-api/swagger-ui/commit/31626145c08e75b1d765975ca6e5616fe721e03d", "transitive": true, "more_info_path": "/v/52705/f17", "id": "pyup.io-52705", "type": "pve", "cve": "PVE-2023-52705"}, {"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses versions of 'swagger-ui' (2.2.10, 3.52.0) with a known docker image Node.js vulnerability.\r\nhttps://github.com/swagger-api/swagger-ui/commit/325909fb6a87a2022487be7a58c41f5857fdf761", "transitive": true, "more_info_path": "/v/52704/f17", "id": "pyup.io-52704", "type": "pve", "cve": "PVE-2023-52704"}, {"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses a version of 'swagger-ui' (2.2.10) with a known XSS vulnerability.\r\nhttps://github.com/swagger-api/swagger-ui/commit/1e184e8e218676278c83e60a45846c199ce3d15e", "transitive": true, "more_info_path": "/v/52714/f17", "id": "pyup.io-52714", "type": "pve", "cve": "PVE-2023-52714"}, {"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses a version of 'swagger-ui' (2.2.10) with a known CSS vulnerability.", "transitive": true, "more_info_path": "/v/52712/f17", "id": "pyup.io-52712", "type": "cve", "cve": "CVE-2019-17495"}, {"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses versions of 'swagger-ui' (2.2.10, 3.52.0) with a potential transitive vulnerability.\r\nhttps://github.com/swagger-api/swagger-ui/commit/6c417e490185cb6c0e8855d642f9666d5e6f9bf0", "transitive": true, "more_info_path": "/v/52698/f17", "id": "pyup.io-52698", "type": "pve", "cve": "PVE-2023-52698"}, {"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses versions of 'swagger-ui' (2.2.10, 3.52.0) with potential transitive vulnerabilities.\r\nhttps://github.com/swagger-api/swagger-ui/commit/5029b815602dcfa87cc422031a75260c6e7a9ed4", "transitive": true, "more_info_path": "/v/52703/f17", "id": "pyup.io-52703", "type": "pve", "cve": "PVE-2023-52703"}, {"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses a version of 'swagger-ui' (2.2.10) with potential transitive vulnerabilities.\r\nhttps://github.com/swagger-api/swagger-ui/compare/v3.37.2...v3.38.0", "transitive": true, "more_info_path": "/v/52707/f17", "id": "pyup.io-52707", "type": "pve", "cve": "PVE-2023-52707"}, {"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses a version of 'swagger-ui' (2.2.10) with a potential transitive vulnerability.\r\nhttps://github.com/swagger-api/swagger-ui/commit/a26bb9284de375e338987b13ad7a1270372e245c", "transitive": true, "more_info_path": "/v/52708/f17", "id": "pyup.io-52708", "type": "pve", "cve": "PVE-2023-52708"}, {"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses a version of 'swagger-ui' (2.2.10) with a potential transitive vulnerability.\r\nhttps://github.com/swagger-api/swagger-ui/commit/9e294fbab55a7c4974d7a8eb56534f39ec3a9f63", "transitive": true, "more_info_path": "/v/52709/f17", "id": "pyup.io-52709", "type": "pve", "cve": "PVE-2023-52709"}, {"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses a version of 'swagger-ui' (2.2.10) with a potential vulnerability in the Markdown renderer.\r\nhttps://github.com/swagger-api/swagger-ui/commit/a616cb471d31f04a28d185aeb1bcb83637afc3cf", "transitive": true, "more_info_path": "/v/52710/f17", "id": "pyup.io-52710", "type": "pve", "cve": "PVE-2023-52710"}, {"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses a version of 'swagger-ui' (2.2.10) with a potential transitive vulnerability.\r\nhttps://github.com/swagger-api/swagger-ui/commit/5628ff02f4da4fcc77aaf808466be9550bef2cbe", "transitive": true, "more_info_path": "/v/52713/f17", "id": "pyup.io-52713", "type": "cve", "cve": "CVE-2018-20834"}, {"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses a version of 'swagger-ui' (2.2.10) with a known vulnerability in anchor tags.\r\nhttps://github.com/swagger-api/swagger-ui/pull/4789", "transitive": true, "more_info_path": "/v/52717/f17", "id": "pyup.io-52717", "type": "pve", "cve": "PVE-2023-52717"}, {"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses a version of 'swagger-ui' (2.2.10) with a potential transitive vulnerability.\r\nhttps://github.com/swagger-api/swagger-ui/commit/558d054986d58b029e5ac2db5f350219ef4d578b", "transitive": true, "more_info_path": "/v/52718/f17", "id": "pyup.io-52718", "type": "pve", "cve": "PVE-2023-52718"}, {"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses a version of 'swagger-ui' (2.2.10) with a known XSS vulnerability.\r\nhttps://github.com/swagger-api/swagger-ui/commit/afa615e01dc7f6724d20a11abfe1fcdf8f6ecd57", "transitive": true, "more_info_path": "/v/52721/f17", "id": "pyup.io-52721", "type": "pve", "cve": "PVE-2023-52721"}, {"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses versions of 'swagger-ui' (2.2.10, 3.52.0) that expose hostnames to build fragments.\r\nhttps://github.com/swagger-api/swagger-ui/pull/7491", "transitive": true, "more_info_path": "/v/52735/f17", "id": "pyup.io-52735", "type": "pve", "cve": "PVE-2023-52735"}, {"specs": ["<1.1.0"], "advisory": "Py-swagger-ui before 1.1.0 uses versions of 'swagger-ui' (2.2.10, 3.52.0) with a known vulnerability: including remote OpenAPI definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances.\r\nhttps://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx", "transitive": true, "more_info_path": "/v/52736/f17", "id": "pyup.io-52736", "type": "cve", "cve": "CVE-2018-25031"}], "lurklite": [{"specs": ["<0.4.9"], "advisory": "Lurklite 0.4.9 includes a change that allows Discord administrators to be specified with user IDs as well as usernamediscriminator, improving security with username changes.", "transitive": false, "more_info_path": "/v/38394/f17", "id": "pyup.io-38394", "type": "pve", "cve": "PVE-2021-38394"}], "ethsnarks": [{"specs": ["<0.18.10.1"], "advisory": "Ethsnarks 0.18.10.1 fixes security bugs in MiMC-p/p and Miximus.", "transitive": false, "more_info_path": "/v/37387/f17", "id": "pyup.io-37387", "type": "pve", "cve": "PVE-2021-37387"}], "jarvis-ui": [{"specs": ["<0.2.8"], "advisory": "Jarvis-ui 0.2.8 hexlifies token to secure it over internet.\r\nhttps://github.com/thevickypedia/Jarvis_UI/commit/f6bca8b2d9785890a96b7db3e74ea816978c7bc4", "transitive": false, "more_info_path": "/v/49685/f17", "id": "pyup.io-49685", "type": "pve", "cve": "PVE-2022-49685"}], "atlasapi": [{"specs": ["<2.0.5"], "advisory": "Atlasapi 2.0.5 updates its dependency 'sphinx' to v3.0.4 to include security fixes.", "transitive": true, "more_info_path": "/v/51567/f17", "id": "pyup.io-51567", "type": "cve", "cve": "CVE-2020-11022"}, {"specs": ["<2.0.5"], "advisory": "Atlasapi 2.0.5 updates its dependency 'pygments' to v2.7.4 to include security fixes.", "transitive": true, "more_info_path": "/v/51548/f17", "id": "pyup.io-51548", "type": "cve", "cve": "CVE-2021-20270"}, {"specs": ["<2.0.5"], "advisory": "Atlasapi 2.0.5 updates its dependency 'sphinx' to v3.0.4 to include security fixes.", "transitive": true, "more_info_path": "/v/51568/f17", "id": "pyup.io-51568", "type": "cve", "cve": "CVE-2020-11023"}, {"specs": ["<2.0.5"], "advisory": "Atlasapi 2.0.5 updates its dependency 'pygments' to v2.7.4 to include security fixes.", "transitive": true, "more_info_path": "/v/51566/f17", "id": "pyup.io-51566", "type": "cve", "cve": "CVE-2021-27291"}], "ethically": [{"specs": ["<0.0.3"], "advisory": "Ethically 0.0.3 fixes security issues with dependencies. This package is no longer in PyPI. No more information was found.", "transitive": true, "more_info_path": "/v/45608/f17", "id": "pyup.io-45608", "type": "pve", "cve": "PVE-2021-37042"}], "mitmproxy": [{"specs": ["<4.0.4"], "advisory": "mitmproxy before 4.0.4 does not protect mitmweb against DNS rebinding.", "transitive": false, "more_info_path": "/v/36352/f17", "id": "pyup.io-36352", "type": "cve", "cve": "CVE-2018-14505"}, {"specs": ["<0.17"], "advisory": "Mitmproxy before 0.17 has a XSS vulnerability in HTTP errors.\r\nhttps://github.com/mitmproxy/mitmproxy/pull/1066", "transitive": false, "more_info_path": "/v/25891/f17", "id": "pyup.io-25891", "type": "pve", "cve": "PVE-2021-25891"}, {"specs": ["<8.0.0"], "advisory": "Mitmproxy 8.0.0 includes a fix for CVE-2022-24766: Insufficient Protection against HTTP Request Smuggling.\r\nhttps://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-gcx2-gvj7-pxv3", "transitive": false, "more_info_path": "/v/48560/f17", "id": "pyup.io-48560", "type": "cve", "cve": "CVE-2022-24766"}, {"specs": ["<4.0.0"], "advisory": "Mitmproxy version 4.0.0 includes a fix to correctly block connections from remote clients with IPv4-mapped IPv6 client addresses.\r\nhttps://github.com/mitmproxy/mitmproxy/issues/3024", "transitive": false, "more_info_path": "/v/41864/f17", "id": "pyup.io-41864", "type": "pve", "cve": "PVE-2021-41864"}, {"specs": ["<5.0"], "advisory": "Mitmproxy 5.0 fixes command injection vulnerabilities when exporting flows as curl/httpie commands. It also does not echo unsanitized user input in HTTP error responses.", "transitive": false, "more_info_path": "/v/38179/f17", "id": "pyup.io-38179", "type": "pve", "cve": "PVE-2021-38179"}, {"specs": ["<7.0.3"], "advisory": "Mitmproxy version 7.0.3 includes a fix for CVE-2021-39214: In mitmproxy 7.0.2 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While a smuggled request is still captured as part of another request's body, it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization. Unless one uses mitmproxy to protect an HTTP/1 service, no action is required.", "transitive": false, "more_info_path": "/v/41855/f17", "id": "pyup.io-41855", "type": "cve", "cve": "CVE-2021-39214"}, {"specs": ["<9.0.1"], "advisory": "Mitmproxy 9.0.1 updates its precompiled binaries with OpenSSL 3.0.7, to include security fixes.", "transitive": true, "more_info_path": "/v/51651/f17", "id": "pyup.io-51651", "type": "cve", "cve": "CVE-2022-3786"}, {"specs": ["<9.0.1"], "advisory": "Mitmproxy 9.0.1 updates its precompiled binaries with OpenSSL 3.0.7, to include security fixes.", "transitive": true, "more_info_path": "/v/51778/f17", "id": "pyup.io-51778", "type": "cve", "cve": "CVE-2022-3602"}], "rubicon-ml": [{"specs": ["<0.2.6"], "advisory": "Rubicon-ml 0.2.6 includes a fix to address a whitesource vulnerability.", "transitive": false, "more_info_path": "/v/41017/f17", "id": "pyup.io-41017", "type": "pve", "cve": "PVE-2021-41017"}], "py7zr": [{"specs": ["<0.20.1"], "advisory": "Py7zr 0.20.1 adds protection against path traversal attacks.\r\nhttps://github.com/miurahr/py7zr/commit/1bb43f17515c7f69673a1c88ab9cc72a7bbef406", "transitive": false, "more_info_path": "/v/51631/f17", "id": "pyup.io-51631", "type": "pve", "cve": "PVE-2022-51631"}, {"specs": ["<0.17.3"], "advisory": "Py7zr 0.17.3 protects against directory traversal attacks by checking file paths in ArchiveFile.\r\nhttps://github.com/miurahr/py7zr/commit/2cb066688b05ee7427f236fd35f5598112e9d501", "transitive": false, "more_info_path": "/v/44652/f17", "id": "pyup.io-44652", "type": "pve", "cve": "PVE-2022-44652"}, {"specs": ["<=0.20.0"], "advisory": "Py7zr 0.20.1 includes a fix for CVE-2022-44900: A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file.", "transitive": false, "more_info_path": "/v/52349/f17", "id": "pyup.io-52349", "type": "cve", "cve": "CVE-2022-44900"}], "python3-saml": [{"specs": ["<1.13.0"], "advisory": "Python3-saml 1.13.0 updates its dependency 'lxml' to v4.7.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44754/f17", "id": "pyup.io-44754", "type": "cve", "cve": "CVE-2021-43818"}, {"specs": ["<1.2.1"], "advisory": "Python3-saml 1.2.1 includes several fixes to prevent Signature Wrapping attacks.\r\nhttps://github.com/onelogin/python3-saml/pull/30", "transitive": false, "more_info_path": "/v/26090/f17", "id": "pyup.io-26090", "type": "pve", "cve": "PVE-2021-26087"}, {"specs": ["<1.4.0"], "advisory": "Multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.", "transitive": false, "more_info_path": "/v/35780/f17", "id": "pyup.io-35780", "type": "cve", "cve": "CVE-2017-11427"}, {"specs": ["<1.8.0"], "advisory": "Python3-saml 1.8.0 sets to True the default value for 'strict' setting to improve validation.", "transitive": false, "more_info_path": "/v/50741/f17", "id": "pyup.io-50741", "type": "pve", "cve": "PVE-2022-50739"}, {"specs": ["<1.5.0"], "advisory": "Python3-saml 1.5.0 contains security improvements to prevent XPath injection. It also disables DTD on the fromstring defusedxml method.", "transitive": false, "more_info_path": "/v/39454/f17", "id": "pyup.io-39454", "type": "pve", "cve": "PVE-2021-39454"}, {"specs": ["<1.13.0"], "advisory": "Python3-saml 1.13.0 sets sha256 and rsa-sha256 as default algorithms.\r\nhttps://github.com/onelogin/python3-saml/pull/296", "transitive": false, "more_info_path": "/v/50740/f17", "id": "pyup.io-50740", "type": "pve", "cve": "PVE-2022-44711"}, {"specs": ["<1.13.0"], "advisory": "Python3-saml 1.13.0 updates its dependency 'lxml' to v4.7.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44755/f17", "id": "pyup.io-44755", "type": "cve", "cve": "CVE-2021-28957"}, {"specs": ["<1.13.0"], "advisory": "Python3-saml 1.13.0 updates its dependency 'lxml' to v4.7.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44718/f17", "id": "pyup.io-44718", "type": "cve", "cve": "CVE-2018-19787"}, {"specs": ["<1.13.0"], "advisory": "Python3-saml 1.13.0 updates its dependency 'lxml' to v4.7.0 to include security fixes.", "transitive": true, "more_info_path": "/v/44756/f17", "id": "pyup.io-44756", "type": "cve", "cve": "CVE-2020-27783"}], "scvae": [{"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46704/f17", "id": "pyup.io-46704", "type": "cve", "cve": "CVE-2021-22925"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46738/f17", "id": "pyup.io-46738", "type": "cve", "cve": "CVE-2021-41228"}, {"specs": ["<2.1.1"], "advisory": "Scvae 2.1.1 updates TensorFlow to v1.15.2 to include security fixes.", "transitive": true, "more_info_path": "/v/43825/f17", "id": "pyup.io-43825", "type": "cve", "cve": "CVE-2019-16168"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46688/f17", "id": "pyup.io-46688", "type": "cve", "cve": "CVE-2020-15209"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46699/f17", "id": "pyup.io-46699", "type": "cve", "cve": "CVE-2020-26271"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46711/f17", "id": "pyup.io-46711", "type": "cve", "cve": "CVE-2021-41200"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46745/f17", "id": "pyup.io-46745", "type": "cve", "cve": "CVE-2022-21731"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46755/f17", "id": "pyup.io-46755", "type": "cve", "cve": "CVE-2022-21741"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46767/f17", "id": "pyup.io-46767", "type": "cve", "cve": "CVE-2022-23568"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46776/f17", "id": "pyup.io-46776", "type": "cve", "cve": "CVE-2022-23577"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46777/f17", "id": "pyup.io-46777", "type": "cve", "cve": "CVE-2022-23578"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46703/f17", "id": "pyup.io-46703", "type": "cve", "cve": "CVE-2021-22924"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46661/f17", "id": "pyup.io-46661", "type": "cve", "cve": "CVE-2019-10099"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46729/f17", "id": "pyup.io-46729", "type": "cve", "cve": "CVE-2021-41218"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46670/f17", "id": "pyup.io-46670", "type": "cve", "cve": "CVE-2020-11656"}, {"specs": ["<2.1.1"], "advisory": "Scvae 2.1.1 updates TensorFlow to v1.15.2 to include security fixes.", "transitive": true, "more_info_path": "/v/43826/f17", "id": "pyup.io-43826", "type": "cve", "cve": "CVE-2020-5215"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46727/f17", "id": "pyup.io-46727", "type": "cve", "cve": "CVE-2021-41216"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46769/f17", "id": "pyup.io-46769", "type": "cve", "cve": "CVE-2022-23570"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46772/f17", "id": "pyup.io-46772", "type": "cve", "cve": "CVE-2022-23573"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46689/f17", "id": "pyup.io-46689", "type": "cve", "cve": "CVE-2020-15210"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46713/f17", "id": "pyup.io-46713", "type": "cve", "cve": "CVE-2021-41202"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46715/f17", "id": "pyup.io-46715", "type": "cve", "cve": "CVE-2021-41204"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46657/f17", "id": "pyup.io-46657", "type": "cve", "cve": "CVE-2018-11770"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46658/f17", "id": "pyup.io-46658", "type": "cve", "cve": "CVE-2018-17190"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46672/f17", "id": "pyup.io-46672", "type": "cve", "cve": "CVE-2020-13435"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46678/f17", "id": "pyup.io-46678", "type": "cve", "cve": "CVE-2020-15190"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46679/f17", "id": "pyup.io-46679", "type": "cve", "cve": "CVE-2020-15194"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46680/f17", "id": "pyup.io-46680", "type": "cve", "cve": "CVE-2020-15195"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46681/f17", "id": "pyup.io-46681", "type": "cve", "cve": "CVE-2020-15202"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46677/f17", "id": "pyup.io-46677", "type": "cve", "cve": "CVE-2020-14155"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46682/f17", "id": "pyup.io-46682", "type": "cve", "cve": "CVE-2020-15203"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46683/f17", "id": "pyup.io-46683", "type": "cve", "cve": "CVE-2020-15204"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46716/f17", "id": "pyup.io-46716", "type": "cve", "cve": "CVE-2021-41205"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46685/f17", "id": "pyup.io-46685", "type": "cve", "cve": "CVE-2020-15206"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46686/f17", "id": "pyup.io-46686", "type": "cve", "cve": "CVE-2020-15207"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46687/f17", "id": "pyup.io-46687", "type": "cve", "cve": "CVE-2020-15208"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46690/f17", "id": "pyup.io-46690", "type": "cve", "cve": "CVE-2020-15211"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46692/f17", "id": "pyup.io-46692", "type": "cve", "cve": "CVE-2020-15265"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46693/f17", "id": "pyup.io-46693", "type": "cve", "cve": "CVE-2020-15266"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46696/f17", "id": "pyup.io-46696", "type": "cve", "cve": "CVE-2020-26267"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46701/f17", "id": "pyup.io-46701", "type": "cve", "cve": "CVE-2021-22922"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46706/f17", "id": "pyup.io-46706", "type": "cve", "cve": "CVE-2021-41195"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46707/f17", "id": "pyup.io-46707", "type": "cve", "cve": "CVE-2021-41196"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46708/f17", "id": "pyup.io-46708", "type": "cve", "cve": "CVE-2021-41197"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46709/f17", "id": "pyup.io-46709", "type": "cve", "cve": "CVE-2021-41198"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46712/f17", "id": "pyup.io-46712", "type": "cve", "cve": "CVE-2021-41201"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46714/f17", "id": "pyup.io-46714", "type": "cve", "cve": "CVE-2021-41203"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46717/f17", "id": "pyup.io-46717", "type": "cve", "cve": "CVE-2021-41206"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46718/f17", "id": "pyup.io-46718", "type": "cve", "cve": "CVE-2021-41207"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46719/f17", "id": "pyup.io-46719", "type": "cve", "cve": "CVE-2021-41208"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46720/f17", "id": "pyup.io-46720", "type": "cve", "cve": "CVE-2021-41209"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46723/f17", "id": "pyup.io-46723", "type": "cve", "cve": "CVE-2021-41212"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46724/f17", "id": "pyup.io-46724", "type": "cve", "cve": "CVE-2021-41213"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46725/f17", "id": "pyup.io-46725", "type": "cve", "cve": "CVE-2021-41214"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46726/f17", "id": "pyup.io-46726", "type": "cve", "cve": "CVE-2021-41215"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46728/f17", "id": "pyup.io-46728", "type": "cve", "cve": "CVE-2021-41217"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46730/f17", "id": "pyup.io-46730", "type": "cve", "cve": "CVE-2021-41219"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46731/f17", "id": "pyup.io-46731", "type": "cve", "cve": "CVE-2021-41221"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46733/f17", "id": "pyup.io-46733", "type": "cve", "cve": "CVE-2021-41223"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46734/f17", "id": "pyup.io-46734", "type": "cve", "cve": "CVE-2021-41224"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46736/f17", "id": "pyup.io-46736", "type": "cve", "cve": "CVE-2021-41226"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46737/f17", "id": "pyup.io-46737", "type": "cve", "cve": "CVE-2021-41227"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46739/f17", "id": "pyup.io-46739", "type": "cve", "cve": "CVE-2022-21725"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46740/f17", "id": "pyup.io-46740", "type": "cve", "cve": "CVE-2022-21726"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46741/f17", "id": "pyup.io-46741", "type": "cve", "cve": "CVE-2022-21727"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46742/f17", "id": "pyup.io-46742", "type": "cve", "cve": "CVE-2022-21728"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46743/f17", "id": "pyup.io-46743", "type": "cve", "cve": "CVE-2022-21729"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46746/f17", "id": "pyup.io-46746", "type": "cve", "cve": "CVE-2022-21732"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46747/f17", "id": "pyup.io-46747", "type": "cve", "cve": "CVE-2022-21733"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46750/f17", "id": "pyup.io-46750", "type": "cve", "cve": "CVE-2022-21736"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46751/f17", "id": "pyup.io-46751", "type": "cve", "cve": "CVE-2022-21737"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46752/f17", "id": "pyup.io-46752", "type": "cve", "cve": "CVE-2022-21738"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46754/f17", "id": "pyup.io-46754", "type": "cve", "cve": "CVE-2022-21740"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46756/f17", "id": "pyup.io-46756", "type": "cve", "cve": "CVE-2022-23557"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46757/f17", "id": "pyup.io-46757", "type": "cve", "cve": "CVE-2022-23558"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46758/f17", "id": "pyup.io-46758", "type": "cve", "cve": "CVE-2022-23559"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46759/f17", "id": "pyup.io-46759", "type": "cve", "cve": "CVE-2022-23560"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46760/f17", "id": "pyup.io-46760", "type": "cve", "cve": "CVE-2022-23561"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46761/f17", "id": "pyup.io-46761", "type": "cve", "cve": "CVE-2022-23562"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46762/f17", "id": "pyup.io-46762", "type": "cve", "cve": "CVE-2022-23563"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46763/f17", "id": "pyup.io-46763", "type": "cve", "cve": "CVE-2022-23564"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46764/f17", "id": "pyup.io-46764", "type": "cve", "cve": "CVE-2022-23565"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46766/f17", "id": "pyup.io-46766", "type": "cve", "cve": "CVE-2022-23567"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46775/f17", "id": "pyup.io-46775", "type": "cve", "cve": "CVE-2022-23576"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46778/f17", "id": "pyup.io-46778", "type": "cve", "cve": "CVE-2022-23579"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46779/f17", "id": "pyup.io-46779", "type": "cve", "cve": "CVE-2022-23580"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46780/f17", "id": "pyup.io-46780", "type": "cve", "cve": "CVE-2022-23581"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46781/f17", "id": "pyup.io-46781", "type": "cve", "cve": "CVE-2022-23582"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46782/f17", "id": "pyup.io-46782", "type": "cve", "cve": "CVE-2022-23583"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46783/f17", "id": "pyup.io-46783", "type": "cve", "cve": "CVE-2022-23584"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46784/f17", "id": "pyup.io-46784", "type": "cve", "cve": "CVE-2022-23585"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46785/f17", "id": "pyup.io-46785", "type": "cve", "cve": "CVE-2022-23586"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46786/f17", "id": "pyup.io-46786", "type": "cve", "cve": "CVE-2022-23587"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46669/f17", "id": "pyup.io-46669", "type": "cve", "cve": "CVE-2020-11655"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46787/f17", "id": "pyup.io-46787", "type": "cve", "cve": "CVE-2022-23588"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46788/f17", "id": "pyup.io-46788", "type": "cve", "cve": "CVE-2022-23589"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46789/f17", "id": "pyup.io-46789", "type": "cve", "cve": "CVE-2022-23591"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46790/f17", "id": "pyup.io-46790", "type": "cve", "cve": "CVE-2022-23595"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46684/f17", "id": "pyup.io-46684", "type": "cve", "cve": "CVE-2020-15205"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46695/f17", "id": "pyup.io-46695", "type": "cve", "cve": "CVE-2020-26266"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46697/f17", "id": "pyup.io-46697", "type": "cve", "cve": "CVE-2020-26268"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46698/f17", "id": "pyup.io-46698", "type": "cve", "cve": "CVE-2020-26270"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46710/f17", "id": "pyup.io-46710", "type": "cve", "cve": "CVE-2021-41199"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46721/f17", "id": "pyup.io-46721", "type": "cve", "cve": "CVE-2021-41210"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46722/f17", "id": "pyup.io-46722", "type": "cve", "cve": "CVE-2021-41211"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46732/f17", "id": "pyup.io-46732", "type": "cve", "cve": "CVE-2021-41222"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46735/f17", "id": "pyup.io-46735", "type": "cve", "cve": "CVE-2021-41225"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46744/f17", "id": "pyup.io-46744", "type": "cve", "cve": "CVE-2022-21730"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46748/f17", "id": "pyup.io-46748", "type": "cve", "cve": "CVE-2022-21734"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46749/f17", "id": "pyup.io-46749", "type": "cve", "cve": "CVE-2022-21735"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46753/f17", "id": "pyup.io-46753", "type": "cve", "cve": "CVE-2022-21739"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46765/f17", "id": "pyup.io-46765", "type": "cve", "cve": "CVE-2022-23566"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46768/f17", "id": "pyup.io-46768", "type": "cve", "cve": "CVE-2022-23569"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46770/f17", "id": "pyup.io-46770", "type": "cve", "cve": "CVE-2022-23571"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46771/f17", "id": "pyup.io-46771", "type": "cve", "cve": "CVE-2022-23572"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46773/f17", "id": "pyup.io-46773", "type": "cve", "cve": "CVE-2022-23574"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46774/f17", "id": "pyup.io-46774", "type": "cve", "cve": "CVE-2022-23575"}, {"specs": ["<2.1.1"], "advisory": "Scvae 2.1.1 updates TensorFlow to v1.15.2 to include security fixes.", "transitive": true, "more_info_path": "/v/37932/f17", "id": "pyup.io-37932", "type": "cve", "cve": "CVE-2019-19646"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46676/f17", "id": "pyup.io-46676", "type": "cve", "cve": "CVE-2020-13871"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46671/f17", "id": "pyup.io-46671", "type": "cve", "cve": "CVE-2020-13434"}, {"specs": ["<2.1.1"], "advisory": "Scvae 2.1.1 updates TensorFlow to v1.15.2 to include security fixes.", "transitive": true, "more_info_path": "/v/43824/f17", "id": "pyup.io-43824", "type": "cve", "cve": "CVE-2019-5481"}, {"specs": ["<2.1.1"], "advisory": "Scvae 2.1.1 updates TensorFlow to v1.15.2 to include security fixes.", "transitive": true, "more_info_path": "/v/43827/f17", "id": "pyup.io-43827", "type": "cve", "cve": "CVE-2019-5482"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46659/f17", "id": "pyup.io-46659", "type": "cve", "cve": "CVE-2018-19664"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46660/f17", "id": "pyup.io-46660", "type": "cve", "cve": "CVE-2018-20330"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46662/f17", "id": "pyup.io-46662", "type": "cve", "cve": "CVE-2019-13960"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46664/f17", "id": "pyup.io-46664", "type": "cve", "cve": "CVE-2019-19244"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46665/f17", "id": "pyup.io-46665", "type": "cve", "cve": "CVE-2019-19645"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46666/f17", "id": "pyup.io-46666", "type": "cve", "cve": "CVE-2019-19880"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46667/f17", "id": "pyup.io-46667", "type": "cve", "cve": "CVE-2019-20838"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46668/f17", "id": "pyup.io-46668", "type": "cve", "cve": "CVE-2020-10531"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46673/f17", "id": "pyup.io-46673", "type": "cve", "cve": "CVE-2020-13630"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46674/f17", "id": "pyup.io-46674", "type": "cve", "cve": "CVE-2020-13631"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46675/f17", "id": "pyup.io-46675", "type": "cve", "cve": "CVE-2020-13790"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46691/f17", "id": "pyup.io-46691", "type": "cve", "cve": "CVE-2020-15250"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46694/f17", "id": "pyup.io-46694", "type": "cve", "cve": "CVE-2020-15358"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46700/f17", "id": "pyup.io-46700", "type": "cve", "cve": "CVE-2020-9327"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46702/f17", "id": "pyup.io-46702", "type": "cve", "cve": "CVE-2021-22923"}, {"specs": ["<=2.1.4"], "advisory": "Scvae versions 2.1.4 and prior require as minimum dependency TensorFlow v1.15.2 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46705/f17", "id": "pyup.io-46705", "type": "cve", "cve": "CVE-2021-22926"}], "ansitoimg": [{"specs": ["<2021.0.1"], "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", "transitive": true, "more_info_path": "/v/40612/f17", "id": "pyup.io-40612", "type": "cve", "cve": "CVE-2021-27922"}, {"specs": ["<2021.0.1"], "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", "transitive": true, "more_info_path": "/v/40994/f17", "id": "pyup.io-40994", "type": "cve", "cve": "CVE-2020-35655"}, {"specs": ["<2021.0.1"], "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", "transitive": true, "more_info_path": "/v/40995/f17", "id": "pyup.io-40995", "type": "cve", "cve": "CVE-2020-35653"}, {"specs": ["<2021.0.1"], "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", "transitive": true, "more_info_path": "/v/40996/f17", "id": "pyup.io-40996", "type": "cve", "cve": "CVE-2020-35654"}, {"specs": ["<2021.0.1"], "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", "transitive": true, "more_info_path": "/v/40993/f17", "id": "pyup.io-40993", "type": "cve", "cve": "CVE-2021-27923"}, {"specs": ["<2021.0.1"], "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", "transitive": true, "more_info_path": "/v/40611/f17", "id": "pyup.io-40611", "type": "cve", "cve": "CVE-2021-27921"}], "label-studio-converter": [{"specs": ["<0.0.43"], "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/50645/f17", "id": "pyup.io-50645", "type": "cve", "cve": "CVE-2021-28677"}, {"specs": ["<0.0.43"], "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/50641/f17", "id": "pyup.io-50641", "type": "cve", "cve": "CVE-2021-34552"}, {"specs": ["<0.0.43"], "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/50652/f17", "id": "pyup.io-50652", "type": "cve", "cve": "CVE-2021-25293"}, {"specs": ["<0.0.43"], "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/50644/f17", "id": "pyup.io-50644", "type": "cve", "cve": "CVE-2021-28676"}, {"specs": ["<0.0.43"], "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/50648/f17", "id": "pyup.io-50648", "type": "cve", "cve": "CVE-2021-25289"}, {"specs": ["<0.0.43"], "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/50649/f17", "id": "pyup.io-50649", "type": "cve", "cve": "CVE-2021-25290"}, {"specs": ["<0.0.43"], "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/50646/f17", "id": "pyup.io-50646", "type": "cve", "cve": "CVE-2021-25287"}, {"specs": ["<0.0.43"], "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/50650/f17", "id": "pyup.io-50650", "type": "cve", "cve": "CVE-2021-25291"}, {"specs": ["<0.0.45"], "advisory": "Label-studio-converter 0.0.45 updates its dependency 'pillow' to v8.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/51798/f17", "id": "pyup.io-51798", "type": "cve", "cve": "CVE-2021-34552"}, {"specs": ["<0.0.43"], "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/50651/f17", "id": "pyup.io-50651", "type": "cve", "cve": "CVE-2021-25292"}, {"specs": ["<0.0.43"], "advisory": "Label-studio-converter 0.0.43 updates its dependency 'pillow' to v8.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/50647/f17", "id": "pyup.io-50647", "type": "cve", "cve": "CVE-2021-25288"}], "tensorflow": [{"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix vulnerabilities caused by invalid validation in 'SparseMatrixSparseCholesky'. See CVE-2021-29530.", "transitive": false, "more_info_path": "/v/40688/f17", "id": "pyup.io-40688", "type": "cve", "cve": "CVE-2021-29530"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a 'CHECK'-fail due to integer overflow. See CVE-2021-29584.", "transitive": false, "more_info_path": "/v/40736/f17", "id": "pyup.io-40736", "type": "cve", "cve": "CVE-2021-29584"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27775.", "transitive": true, "more_info_path": "/v/48657/f17", "id": "pyup.io-48657", "type": "cve", "cve": "CVE-2022-27775"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap OOB read in 'tf.raw_ops.Dequantize'. See CVE-2021-29582.", "transitive": false, "more_info_path": "/v/40735/f17", "id": "pyup.io-40735", "type": "cve", "cve": "CVE-2021-29582"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a 'CHECK'-fail in 'tf.raw_ops.IRFFT'. See CVE-2021-29562.", "transitive": false, "more_info_path": "/v/40719/f17", "id": "pyup.io-40719", "type": "cve", "cve": "CVE-2021-29562"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4", ">=2.3.0rc0,<2.3.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a 'CHECK'-fail in 'LoadAndRemapMatrix'. See CVE-2021-29561.", "transitive": false, "more_info_path": "/v/40718/f17", "id": "pyup.io-40718", "type": "cve", "cve": "CVE-2021-29561"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of 'SpaceToBatchNd'. See CVE-2021-29597.", "transitive": false, "more_info_path": "/v/40750/f17", "id": "pyup.io-40750", "type": "cve", "cve": "CVE-2021-29597"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4", ">=2.3.0rc0,<2.3.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by 0 in 'QuantizedConv2D'. See CVE-2021-29527.", "transitive": false, "more_info_path": "/v/40686/f17", "id": "pyup.io-40686", "type": "cve", "cve": "CVE-2021-29527"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 update its dependency 'curl' to v7.78.0 to handle CVE-2021-22925.", "transitive": true, "more_info_path": "/v/43749/f17", "id": "pyup.io-43749", "type": "cve", "cve": "CVE-2021-22925"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of 'Split'. See CVE-2021-29599.", "transitive": false, "more_info_path": "/v/40752/f17", "id": "pyup.io-40752", "type": "cve", "cve": "CVE-2021-29599"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29193: missing validation which causes 'TensorSummaryV2' to crash.", "transitive": false, "more_info_path": "/v/48633/f17", "id": "pyup.io-48633", "type": "cve", "cve": "CVE-2022-29193"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix a 'CHECK'-fail in 'SparseCross' caused by type confusion. See CVE-2021-29519.", "transitive": false, "more_info_path": "/v/40678/f17", "id": "pyup.io-40678", "type": "cve", "cve": "CVE-2021-29519"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a segfault in 'CTCBeamSearchDecoder'. See CVE-2021-29581.", "transitive": false, "more_info_path": "/v/40734/f17", "id": "pyup.io-40734", "type": "cve", "cve": "CVE-2021-29581"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a null pointer dereference in 'SparseFillEmptyRows'. See CVE-2021-29565.", "transitive": false, "more_info_path": "/v/40778/f17", "id": "pyup.io-40778", "type": "cve", "cve": "CVE-2021-29565"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix a division by 0 in 'Conv3DBackprop*'. See CVE-2021-29522.", "transitive": false, "more_info_path": "/v/40681/f17", "id": "pyup.io-40681", "type": "cve", "cve": "CVE-2021-29522"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27776.", "transitive": true, "more_info_path": "/v/48658/f17", "id": "pyup.io-48658", "type": "cve", "cve": "CVE-2022-27776"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37652: In affected versions the implementation for 'tf.raw_ops.BoostedTreesCreateEnsemble' can result in a use after free error if an attacker supplies specially crafted arguments. The implementation (https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/boosted_trees/resource_ops.cc#L55) uses a reference counted resource and decrements the refcount if the initialization fails, as it should. However, when the code was written, the resource was represented as a naked pointer but later refactoring has changed it to be a smart pointer. Thus, when the pointer leaves the scope, a subsequent 'free'-ing of the resource occurs, but this fails to take into account that the refcount has already reached 0, thus the resource has been already freed. During this double-free process, members of the resource object are accessed for cleanup but they are invalid as the entire resource has been freed. The Tensorflow team has patched the issue in GitHub commit 5ecec9c6fbdbc6be03295685190a45e7eee726ab.", "transitive": false, "more_info_path": "/v/41127/f17", "id": "pyup.io-41127", "type": "cve", "cve": "CVE-2021-37652"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37684: In affected versions the implementations of pooling in TFLite are vulnerable to division by 0 errors as there are no checks for divisors not being 0. The Tensorflow team has patched the issue in GitHub commit dfa22b348b70bb89d6d6ec0ff53973bacb4f4695 (https://github.com/tensorflow/tensorflow/commit/dfa22b348b70bb89d6d6ec0ff53973bacb4f4695).", "transitive": false, "more_info_path": "/v/41159/f17", "id": "pyup.io-41159", "type": "cve", "cve": "CVE-2021-37684"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37657: In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in all operations of type 'tf.raw_ops.MatrixDiagV*'. The implementation (https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/linalg/matrix_diag_op.cc) has incomplete validation that the value of 'k' is a valid tensor. The Tensorflow team has checked that this value is either a scalar or a vector, but there is no check for the number of elements. If this is an empty tensor, then code that accesses the first element of the tensor is wrong. The Tensorflow team has patched the issue in GitHub commit f2a673bd34f0d64b8e40a551ac78989d16daad09.", "transitive": false, "more_info_path": "/v/41132/f17", "id": "pyup.io-41132", "type": "cve", "cve": "CVE-2021-37657"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29617: An attacker can cause a denial of service via `CHECK`-fail in `tf.strings.substr` with invalid arguments.", "transitive": false, "more_info_path": "/v/40770/f17", "id": "pyup.io-40770", "type": "cve", "cve": "CVE-2021-29617"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35952: 'CHECK' failures in 'UnbatchGradOp'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-h5vq-gw2c-pq47", "transitive": false, "more_info_path": "/v/51054/f17", "id": "pyup.io-51054", "type": "cve", "cve": "CVE-2022-35952"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29608: TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in 'tf.raw_ops.RaggedTensorToTensor', an attacker can exploit an undefined behavior if input arguments are empty. The implementation (https://github.com/tensorflow/tensorflow/blob/656e7673b14acd7835dc778867f84916c6d1cac2/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L356-L360) only checks that one of the tensors is not empty, but does not check for the other ones. There are multiple 'DCHECK' validations to prevent heap OOB, but these are no-op in release builds, hence they don't prevent anything.", "transitive": false, "more_info_path": "/v/40760/f17", "id": "pyup.io-40760", "type": "cve", "cve": "CVE-2021-29608"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29196: Missing validation which causes denial of service via 'Conv3DBackpropFilterV2'.", "transitive": false, "more_info_path": "/v/48642/f17", "id": "pyup.io-48642", "type": "cve", "cve": "CVE-2022-29196"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2", ">=2.2.0rc0,<2.2.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap buffer overflow in 'StringNGrams'. See CVE-2021-29542.", "transitive": false, "more_info_path": "/v/40699/f17", "id": "pyup.io-40699", "type": "cve", "cve": "CVE-2021-29542"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a segfault in 'tf.raw_ops.SparseCountSparseOutput'. See CVE-2021-29619.", "transitive": false, "more_info_path": "/v/40771/f17", "id": "pyup.io-40771", "type": "cve", "cve": "CVE-2021-29619"}, {"specs": ["<1.15.3", ">=2.0.0a0,<2.0.2", ">=2.1.0rc0,<2.1.1"], "advisory": "Tensorflow versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"SQLite3\" to handle CVE-2019-19244.", "transitive": true, "more_info_path": "/v/39818/f17", "id": "pyup.io-39818", "type": "cve", "cve": "CVE-2019-19244"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29197: Missing validation which causes denial of service via 'UnsortedSegmentJoin'.", "transitive": false, "more_info_path": "/v/48638/f17", "id": "pyup.io-48638", "type": "cve", "cve": "CVE-2022-29197"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap buffer overflow in 'FractionalAvgPoolGrad'. See CVE-2021-29578.", "transitive": false, "more_info_path": "/v/40732/f17", "id": "pyup.io-40732", "type": "cve", "cve": "CVE-2021-29578"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of 'DepthwiseConv'. See CVE-2021-29602.", "transitive": false, "more_info_path": "/v/40754/f17", "id": "pyup.io-40754", "type": "cve", "cve": "CVE-2021-29602"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix vulnerabilities where session operations in eager mode lead to null pointer dereferences. See CVE-2021-29518.", "transitive": false, "more_info_path": "/v/40677/f17", "id": "pyup.io-40677", "type": "cve", "cve": "CVE-2021-29518"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by 0 in 'DenseCountSparseOutput'. See CVE-2021-29554.", "transitive": false, "more_info_path": "/v/40711/f17", "id": "pyup.io-40711", "type": "cve", "cve": "CVE-2021-29554"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap buffer overflow in 'AvgPool3DGrad'. See CVE-2021-29577.", "transitive": false, "more_info_path": "/v/40730/f17", "id": "pyup.io-40730", "type": "cve", "cve": "CVE-2021-29577"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1"], "advisory": "Tensorflow versions 2.5.3, 2.6.3 and 2.7.1 update its dependency 'icu' to v69.1 to include a security fix.", "transitive": true, "more_info_path": "/v/44763/f17", "id": "pyup.io-44763", "type": "cve", "cve": "CVE-2020-10531"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35979: Segfault in 'QuantizedRelu' and 'QuantizedRelu6'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-v7vw-577f-vp8x", "transitive": false, "more_info_path": "/v/51069/f17", "id": "pyup.io-51069", "type": "cve", "cve": "CVE-2022-35979"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1", ">=2.11.0rc0,<2.11.0"], "advisory": "TensorFlow 2.8.4, 2.9.3, 2.10.1 and 2.11.0 include a fix for CVE-2022-35935: 'CHECK' failure in 'SobolSample' via missing validation.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-97p7-w86h-vcf9\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-cqvq-fvhr-v6hc", "transitive": false, "more_info_path": "/v/51048/f17", "id": "pyup.io-51048", "type": "cve", "cve": "CVE-2022-35935"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix fixes a heap buffer overflow caused by rounding. See CVE-2021-29529.", "transitive": false, "more_info_path": "/v/40689/f17", "id": "pyup.io-40689", "type": "cve", "cve": "CVE-2021-29529"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27778.", "transitive": true, "more_info_path": "/v/48659/f17", "id": "pyup.io-48659", "type": "cve", "cve": "CVE-2022-27778"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27779.", "transitive": true, "more_info_path": "/v/48660/f17", "id": "pyup.io-48660", "type": "cve", "cve": "CVE-2022-27779"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a null pointer dereference in TFLite's 'Reshape' operator. See CVE-2021-29592.", "transitive": false, "more_info_path": "/v/40744/f17", "id": "pyup.io-40744", "type": "cve", "cve": "CVE-2021-29592"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41196: In affected versions, the Keras pooling layers can trigger a segfault if the size of the pool is 0 or if a dimension is negative. This is due to the TensorFlow's implementation of pooling operations where the values in the sliding window are not checked to be strictly positive. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-m539-j985-hcr8", "transitive": false, "more_info_path": "/v/42443/f17", "id": "pyup.io-42443", "type": "cve", "cve": "CVE-2021-41196"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1"], "advisory": "Tensorflow version 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37663:\r\nIn affected versions, due to incomplete validation in \"tf.raw_ops.QuantizeV2\", an attacker can trigger undefined behavior via binding a reference to a null pointer or can access data outside the bounds of heap allocated arrays. The implementation (https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/quantize_op.cc#L59) has some validation but does not check that \"min_range\" and \"max_range\" both have the same non-zero number of elements. If \"axis\" is provided (i.e., not \"-1\"), then validation should check that it is a value in range for the rank of \"input\" tensor and then the lengths of \"min_range\" and \"max_range\" inputs match the \"axis\" dimension of the \"input\" tensor. The Tensorflow team has patched the issue in GitHub commit 6da6620efad397c85493b8f8667b821403516708. \r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-g25h-jr74-qp5j\r\nhttps://github.com/tensorflow/tensorflow/commit/6da6620efad397c85493b8f8667b821403516708", "transitive": false, "more_info_path": "/v/41138/f17", "id": "pyup.io-41138", "type": "cve", "cve": "CVE-2021-37663"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37685: In affected versions TFLite's 'expand_dims.cc' (https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/expand_dims.cc#L36-L50) contains a vulnerability which allows reading one element outside of bounds of heap allocated data. If 'axis' is a large negative value (e.g., '-100000'), then after the first 'if' it would still be negative. The check following the 'if' statement will pass and the 'for' loop would read one element before the start of 'input_dims.data' (when 'i = 0'). The Tensorflow team has patched the issue in GitHub commit d94ffe08a65400f898241c0374e9edc6fa8ed257.", "transitive": false, "more_info_path": "/v/41160/f17", "id": "pyup.io-41160", "type": "cve", "cve": "CVE-2021-37685"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4", ">=2.3.0rc0,<2.3.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29595: The implementation of the `DepthToSpace` TFLite operator is vulnerable to a division by zero error (https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/depth_to_space.cc#L63-L69). An attacker can craft a model such that `params->block_size` is 0.", "transitive": false, "more_info_path": "/v/40746/f17", "id": "pyup.io-40746", "type": "cve", "cve": "CVE-2021-29595"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35985: 'CHECK' fail in 'LRNGrad'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-9942-r22v-78cp", "transitive": false, "more_info_path": "/v/51074/f17", "id": "pyup.io-51074", "type": "cve", "cve": "CVE-2022-35985"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41195: In affected versions, the implementation of 'tf.math.segment_*' operations results in a 'CHECK'-fail related abort (and denial of service) if a segment id in 'segment_ids' is large. This is similar to CVE-2021-29584 (and similar to other reported vulnerabilities in TensorFlow localized to specific APIs): the implementation (both on CPU and GPU) computes the output shape using 'AddDim'. However, if the number of elements in the tensor overflows an 'int64_t' value, 'AddDim' results in a 'CHECK' failure which provokes a 'std::abort'. Instead, code should use 'AddDimWithStatus'. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-cq76-mxrc-vchh", "transitive": false, "more_info_path": "/v/42442/f17", "id": "pyup.io-42442", "type": "cve", "cve": "CVE-2021-41195"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap buffer overflow in 'MaxPool3DGradGrad'. See CVE-2021-29576.", "transitive": false, "more_info_path": "/v/40729/f17", "id": "pyup.io-40729", "type": "cve", "cve": "CVE-2021-29576"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41228: In affected versions, TensorFlow's 'saved_model_cli' tool is vulnerable to a code injection as it calls 'eval' on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given that the tool is always run manually, the impact of this is not severe. The issue has been patched by adding a 'safe' flag which defaults to 'True' and an explicit warning for users.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-3rcw-9p9x-582v\r\nhttps://github.com/tensorflow/tensorflow/commit/8b202f08d52e8206af2bdb2112a62fafbc546ec7", "transitive": false, "more_info_path": "/v/42475/f17", "id": "pyup.io-42475", "type": "cve", "cve": "CVE-2021-41228"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of 'OneHot'. See CVE-2021-29600.", "transitive": false, "more_info_path": "/v/40753/f17", "id": "pyup.io-40753", "type": "cve", "cve": "CVE-2021-29600"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29202: Denial of service in 'tf.ragged.constant' due to lack of validation.", "transitive": false, "more_info_path": "/v/48650/f17", "id": "pyup.io-48650", "type": "cve", "cve": "CVE-2022-29202"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29547: An attacker can cause a segfault and denial of service via accessing data outside of bounds in 'tf.raw_ops.QuantizedBatchNormWithGlobalNormalization'. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/55a97caa9e99c7f37a0bbbeb414dc55553d3ae7f/tensorflow/core/kernels/quantized_batch_norm_op.cc#L176-L189) assumes the inputs are not empty. If any of these inputs is empty, '.flat<T>()' is an empty buffer, so accessing the element at index 0 is accessing data outside of bounds.", "transitive": false, "more_info_path": "/v/40705/f17", "id": "pyup.io-40705", "type": "cve", "cve": "CVE-2021-29547"}, {"specs": [">=2.3.0rc0,<2.3.1"], "advisory": "TensorFlow version 2.3.1 includes a fix for CVE-2020-15197: In Tensorflow before version 2.3.1, the \"SparseCountSparseOutput\" implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the \"indices\" tensor has rank 2. This tensor must be a matrix because code assumes its elements are accessed as elements of a matrix. However, malicious users can pass in tensors of different rank, resulting in a \"CHECK\" assertion failure and a crash. This can be used to cause denial of service in serving installations, if users are allowed to control the components of the input sparse tensor. The issue was patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02.", "transitive": false, "more_info_path": "/v/39866/f17", "id": "pyup.io-39866", "type": "cve", "cve": "CVE-2020-15197"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29201: Missing validation which results in undefined behavior in 'QuantizedConv2D'.", "transitive": false, "more_info_path": "/v/48646/f17", "id": "pyup.io-48646", "type": "cve", "cve": "CVE-2022-29201"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29206: Missing validation which results in undefined behavior in 'SparseTensorDenseAdd'.", "transitive": false, "more_info_path": "/v/48645/f17", "id": "pyup.io-48645", "type": "cve", "cve": "CVE-2022-29206"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36002: 'CHECK' fail in 'Unbatch'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-mh3m-62v7-68xg", "transitive": false, "more_info_path": "/v/51091/f17", "id": "pyup.io-51091", "type": "cve", "cve": "CVE-2022-36002"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35983: 'CHECK' fail in 'Save' and 'SaveSlices'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-m6vp-8q9j-whx4", "transitive": false, "more_info_path": "/v/51072/f17", "id": "pyup.io-51072", "type": "cve", "cve": "CVE-2022-35983"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37643: If a user does not provide a valid padding value to 'tf.raw_ops.MatrixDiagPartOp', then the code triggers a null pointer dereference (if input is empty) or produces invalid behavior, ignoring all values after the first. The implementation (https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/linalg/matrix_diag_op.cc#L89) reads the first value from a tensor buffer without first checking that the tensor has values to read from. The Tensorflow team has patched the issue in GitHub commit 482da92095c4d48f8784b1f00dda4f81c28d2988.", "transitive": false, "more_info_path": "/v/41118/f17", "id": "pyup.io-41118", "type": "cve", "cve": "CVE-2021-37643"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap OOB write in TFLite. See CVE-2021-29603.", "transitive": false, "more_info_path": "/v/40758/f17", "id": "pyup.io-40758", "type": "cve", "cve": "CVE-2021-29603"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41215: In affected versions, the shape inference code for 'DeserializeSparse' can trigger a null pointer dereference. This is because the shape inference function assumes that the 'serialize_sparse' tensor is a tensor with positive rank (and having '3' as the last dimension). The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-x3v8-c8qx-3j3r\r\nhttps://github.com/tensorflow/tensorflow/commit/d3738dd70f1c9ceb547258cbb82d853da8771850", "transitive": false, "more_info_path": "/v/42462/f17", "id": "pyup.io-42462", "type": "cve", "cve": "CVE-2021-41215"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. The implementation of `OpLevelCostEstimator::CalculateOutputSize` is vulnerable to an integer overflow if an attacker can create an operation which would involve tensors with large enough number of elements. We can have a large enough number of dimensions in `output_shape.dim()` or just a small number of dimensions being large enough to cause an overflow in the multiplication. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44861/f17", "id": "pyup.io-44861", "type": "cve", "cve": "CVE-2022-23576"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix fixes a null pointer dereference via invalid Ragged Tensors. See CVE-2021-29516.", "transitive": false, "more_info_path": "/v/40675/f17", "id": "pyup.io-40675", "type": "cve", "cve": "CVE-2021-29516"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29204: Missing validation which causes denial of service via 'Conv3DBackpropFilterV2'.", "transitive": false, "more_info_path": "/v/48647/f17", "id": "pyup.io-48647", "type": "cve", "cve": "CVE-2022-29204"}, {"specs": ["<1.15.0"], "advisory": "The original changelog reads: \"Tensorflow 2.0 fixes a potential security vulnerability where decoding variant tensors from proto could result in heap out of bounds memory access.\" However, it was later confirmed that the fix was already included in 1.15 and later. See: <https://github.com/tensorflow/tensorflow/issues/37701>.", "transitive": false, "more_info_path": "/v/37524/f17", "id": "pyup.io-37524", "type": "pve", "cve": "PVE-2021-37524"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of hashtable lookup. See CVE-2021-29604.", "transitive": false, "more_info_path": "/v/40755/f17", "id": "pyup.io-40755", "type": "cve", "cve": "CVE-2021-29604"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29566: An attacker can write outside the bounds of heap allocated arrays by passing invalid arguments to 'tf.raw_ops.Dilation2DBackpropInput'. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/afd954e65f15aea4d438d0a219136fc4a63a573d/tensorflow/core/kernels/dilation_ops.cc#L321-L322) does not validate before writing to the output array. The values for 'h_out' and 'w_out' are guaranteed to be in range for 'out_backprop' (as they are loop indices bounded by the size of the array). However, there are no similar guarantees relating 'h_in_max'/'w_in_max' and 'in_backprop'.", "transitive": false, "more_info_path": "/v/40722/f17", "id": "pyup.io-40722", "type": "cve", "cve": "CVE-2021-29566"}, {"specs": ["<1.15"], "advisory": "Tensorflow 1.15 includes a fix for CVE-2019-16778: In TensorFlow before 1.15, a heap buffer overflow in UnsortedSegmentSum can be produced when the Index template argument is int32. In this case data_size and num_segments fields are truncated from int64 to int32 and can produce negative numbers, resulting in accessing out of bounds heap memory. This is unlikely to be exploitable and was detected and fixed internally in TensorFlow 1.15 and 2.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-844w-j86r-4x2j\r\nhttps://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2019-002.md\r\nhttps://github.com/tensorflow/tensorflow/commit/db4f9717c41bccc3ce10099ab61996b246099892", "transitive": false, "more_info_path": "/v/40792/f17", "id": "pyup.io-40792", "type": "cve", "cve": "CVE-2019-16778"}, {"specs": ["<1.12.2"], "advisory": "NULL pointer dereference in Google TensorFlow before 1.12.2 could cause a denial of service via an invalid GIF file. See CVE-2019-9635.", "transitive": false, "more_info_path": "/v/40793/f17", "id": "pyup.io-40793", "type": "cve", "cve": "CVE-2019-9635"}, {"specs": ["<2.5.3", ">=2.6.0rc0,<2.6.3", ">=2.7.0rc0,<2.7.1"], "advisory": "Tensorflow versions 2.5.3, 2.6.3 and 2.7.1 include a fix for CVE-2021-41208: In affected versions, the code for boosted trees in TensorFlow is still missing validation. As a result, attackers can trigger denial of service (via dereferencing 'nullptr's or via 'CHECK'-failures) as well as abuse undefined behavior (binding references to 'nullptr's). An attacker can also read and write from heap buffers, depending on the API that gets used and the arguments that are passed to the call. Given that the boosted trees implementation in TensorFlow is unmaintained, it is recommend to no longer use these APIs. TensorFlow's boosted trees APIs will be deprecated in subsequent releases.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-57wx-m983-2f88\r\nhttps://github.com/tensorflow/tensorflow/commit/5c8c9a8bfe750f9743d0c859bae112060b216f5c\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6gw-r52c-724r", "transitive": false, "more_info_path": "/v/42455/f17", "id": "pyup.io-42455", "type": "cve", "cve": "CVE-2021-41208"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.4.0rc0,<2.4.2", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29544: An attacker can trigger a denial of service via a 'CHECK'-fail in 'tf.raw_ops.QuantizeAndDequantizeV4Grad'. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/95078c145b5a7a43ee046144005f733092756ab5/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L162-L163) does not validate the rank of the 'input_*' tensors. In turn, this results in the tensors being passes as they are to 'QuantizeAndDequantizePerChannelGradientImpl' (https://github.com/tensorflow/tensorflow/blob/95078c145b5a7a43ee046144005f733092756ab5/tensorflow/core/kernels/quantize_and_dequantize_op.h#L295-L306). However, the 'vec<T>' method, requires the rank to 1 and triggers a 'CHECK' failure otherwise.", "transitive": false, "more_info_path": "/v/40701/f17", "id": "pyup.io-40701", "type": "cve", "cve": "CVE-2021-29544"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap out of bounds read in 'MaxPoolGradWithArgmax'. See CVE-2021-29570.", "transitive": false, "more_info_path": "/v/40724/f17", "id": "pyup.io-40724", "type": "cve", "cve": "CVE-2021-29570"}, {"specs": [">=2.5.0rc0,<2.5.1", ">=2.6.0rc0,<2.6.0"], "advisory": "Tensorflow versions 2.5.1 and 2.6.0 include a fix for CVE-2021-37692:\r\nIn affected versions under certain conditions, Go code can trigger a segfault in string deallocation. For string tensors, \"C.TF_TString_Dealloc\" is called during garbage collection within a finalizer function. However, tensor structure isn't checked until encoding to avoid a performance penalty. The current method for dealloc assumes that encoding succeeded, but segfaults when a string tensor is garbage collected whose encoding failed (e.g., due to mismatched dimensions). To fix this, the call to set the finalizer function is deferred until \"NewTensor\" returns and, if encoding failed for a string tensor, deallocs are determined based on bytes written. The Tensorflow team has patched the issue in GitHub commit:\r\nhttps://github.com/tensorflow/tensorflow/commit/8721ba96e5760c229217b594f6d2ba332beedf22\r\nhttps://github.com/tensorflow/tensorflow/pull/50508\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-cmgw-8vpc-rc59", "transitive": false, "more_info_path": "/v/41168/f17", "id": "pyup.io-41168", "type": "cve", "cve": "CVE-2021-37692"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.2.0rc0,<2.2.3", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's convolution code. See CVE-2021-29594.", "transitive": false, "more_info_path": "/v/40747/f17", "id": "pyup.io-40747", "type": "cve", "cve": "CVE-2021-29594"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35996: Floating point exception in 'Conv2D'. \r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-q5jv-m6qw-5g37", "transitive": false, "more_info_path": "/v/51085/f17", "id": "pyup.io-51085", "type": "cve", "cve": "CVE-2022-35996"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35990: 'CHECK' fail in 'FakeQuantWithMinMaxVarsPerChannelGradient'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-h7ff-cfc9-wmmh", "transitive": false, "more_info_path": "/v/51079/f17", "id": "pyup.io-51079", "type": "cve", "cve": "CVE-2022-35990"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35959: 'CHECK' failures in 'AvgPool3DGrad'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-wxjj-cgcx-r3vq", "transitive": false, "more_info_path": "/v/51055/f17", "id": "pyup.io-51055", "type": "cve", "cve": "CVE-2022-35959"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a `SavedModel` such that any binary op would trigger `CHECK` failures. This occurs when the protobuf part corresponding to the tensor arguments is modified such that the `dtype` no longer matches the `dtype` expected by the op. In that case, calling the templated binary operator for the binary op would receive corrupted data, due to the type confusion involved. If `Tin` and `Tout` don't match the type of data in `out` and `input_*` tensors then `flat<*>` would interpret it wrongly. In most cases, this would be a silent failure, but we have noticed scenarios where this results in a `CHECK` crash, hence a denial of service. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44868/f17", "id": "pyup.io-44868", "type": "cve", "cve": "CVE-2022-23583"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41217: In affected versions, the process of building the control flow graph for a TensorFlow model is vulnerable to a null pointer exception when nodes that should be paired are not. This occurs because the code assumes that the first node in the pairing (e.g., an 'Enter' node) always exists when encountering the second node (e.g., an 'Exit' node). When this is not the case, 'parent' is 'nullptr' so dereferencing it causes a crash. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-5crj-c72x-m7gq\r\nhttps://github.com/tensorflow/tensorflow/commit/05cbebd3c6bb8f517a158b0155debb8df79017ff", "transitive": false, "more_info_path": "/v/42464/f17", "id": "pyup.io-42464", "type": "cve", "cve": "CVE-2021-41217"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29589: The reference implementation of the `GatherNd` TFLite operator is vulnerable to a division by zero error (https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/internal/reference/reference_ops.h#L966). An attacker can craft a model such that `params` input would be an empty tensor. In turn, `params_shape.Dims(.)` would be zero, in at least one dimension.", "transitive": false, "more_info_path": "/v/40741/f17", "id": "pyup.io-40741", "type": "cve", "cve": "CVE-2021-29589"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. If a graph node is invalid, TensorFlow can leak memory in the implementation of `ImmutableExecutorState::Initialize`. Here, we set `item->kernel` to `nullptr` but it is a simple `OpKernel*` pointer so the memory that was previously allocated to it would leak. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44863/f17", "id": "pyup.io-44863", "type": "cve", "cve": "CVE-2022-23578"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29587: TensorFlow is an end-to-end open source platform for machine learning. The `Prepare` step of the `SpaceToDepth` TFLite operator does not check for 0 before division (https://github.com/tensorflow/tensorflow/blob/5f7975d09eac0f10ed8a17dbb6f5964977725adc/tensorflow/lite/kernels/space_to_depth.cc#L63-L67). An attacker can craft a model such that `params->block_size` would be zero.", "transitive": false, "more_info_path": "/v/40740/f17", "id": "pyup.io-40740", "type": "cve", "cve": "CVE-2021-29587"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.2.0rc0,<2.2.3", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of 'EmbeddingLookup'. See CVE-2021-29596.", "transitive": false, "more_info_path": "/v/40748/f17", "id": "pyup.io-40748", "type": "cve", "cve": "CVE-2021-29596"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0a0,<2.1.2", ">=2.2.0a0,<2.2.1", ">=2.3.0a0,<2.3.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, and 2.3.1 include a fix for CVE-2020-15208: In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a \"DCHECK\" which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can craft cases where this is larger than that of the second tensor. In turn, this would result in reads/writes outside of bounds since the interpreter will wrongly assume that there is enough data in both tensors. The issue was patched in commit 8ee24e7949a203d234489f9da2c5bf45a7d5157d", "transitive": false, "more_info_path": "/v/39937/f17", "id": "pyup.io-39937", "type": "cve", "cve": "CVE-2020-15208"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29568:An attacker can trigger undefined behavior by binding to null pointer in `tf.raw_ops.ParameterizedTruncatedNormal`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/3f6fe4dfef6f57e768260b48166c27d148f3015f/tensorflow/core/kernels/parameterized_truncated_normal_op.cc#L630) does not validate input arguments before accessing the first element of `shape`. If `shape` argument is empty, then `shape_tensor.flat<T>()` is an empty array.", "transitive": false, "more_info_path": "/v/40723/f17", "id": "pyup.io-40723", "type": "cve", "cve": "CVE-2021-29568"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0a0,<2.1.2", ">=2.2.0a0,<2.2.1", ">=2.3.0a0,<2.3.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 include a fix for CVE-2020-15190: In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the \"tf.raw_ops.Switch\" operation takes as input a tensor and a boolean and outputs two tensors. Depending on the boolean value, one of the tensors is exactly the input tensor whereas the other one should be an empty tensor. However, the eager runtime traverses all tensors in the output. Since only one of the tensors is defined, the other one is \"nullptr\", hence we are binding a reference to \"nullptr\". This is undefined behavior and reported as an error if compiling with \"-fsanitize=null\". In this case, this results in a segmentation fault The issue was patched in commit da8558533d925694483d2c136a9220d6d49d843c\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-4g9f-63rx-5cw4", "transitive": false, "more_info_path": "/v/38813/f17", "id": "pyup.io-38813", "type": "cve", "cve": "CVE-2020-15190"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0rc0,<2.1.2", ">=2.2.0rc0,<2.2.1", ">=2.3.0rc0,<2.3.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 include a fix for CVE-2020-15210: In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-x9j7-x98r-r4w2", "transitive": false, "more_info_path": "/v/39983/f17", "id": "pyup.io-39983", "type": "cve", "cve": "CVE-2020-15210"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. Under certain scenarios, Grappler component of TensorFlow can trigger a null pointer dereference. There are 2 places where this can occur, for the same malicious alteration of a `SavedModel` file (fixing the first one would trigger the same dereference in the second place). First, during constant folding, the `GraphDef` might not have the required nodes for the binary operation. If a node is missing, the correposning `mul_*child` would be null, and the dereference in the subsequent line would be incorrect. We have a similar issue during `IsIdentityConsumingSwitch`. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44874/f17", "id": "pyup.io-44874", "type": "cve", "cve": "CVE-2022-23589"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37650: In affected versions the implementation for `tf.raw_ops.ExperimentalDatasetToTFRecord` and `tf.raw_ops.DatasetToTFRecord` can trigger heap buffer overflow and segmentation fault. The [implementation](https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/data/experimental/to_tf_record_op.cc#L93-L102) assumes that all records in the dataset are of string type. However, there is no check for that, and the example given above uses numeric types. The Tensorflow team has patched the issue in GitHub commit e0b6e58c328059829c3eb968136f17aa72b6c876.", "transitive": false, "more_info_path": "/v/41125/f17", "id": "pyup.io-41125", "type": "cve", "cve": "CVE-2021-37650"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in 'Conv3D'. See CVE-2021-29517.", "transitive": false, "more_info_path": "/v/40676/f17", "id": "pyup.io-40676", "type": "cve", "cve": "CVE-2021-29517"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap out of bounds read in 'RequantizationRange'. See CVE-2021-29569.", "transitive": false, "more_info_path": "/v/40725/f17", "id": "pyup.io-40725", "type": "cve", "cve": "CVE-2021-29569"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. There is a typo in TensorFlow's `SpecializeType` which results in heap OOB read/write. Due to a typo, `arg` is initialized to the `i`th mutable argument in a loop where the loop index is `j`. Hence it is possible to assign to `arg` from outside the vector of arguments. Since this is a mutable proto value, it allows both read and write to outside of bounds data. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, and TensorFlow 2.6.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44859/f17", "id": "pyup.io-44859", "type": "cve", "cve": "CVE-2022-23574"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.5.0, 2.4.2, 2.3.3, 2.2.3, and 2.1.4 include a fix for CVE-2021-29572: The implementation of `tf.raw_ops.SdcaOptimizer` triggers undefined behavior due to dereferencing a null pointer. The implementation (https://github.com/tensorflow/tensorflow/blob/60a45c8b6192a4699f2e2709a2645a751d435cc3/tensorflow/core/kernels/sdca_internal.cc) does not validate that the user supplied arguments satisfy all constraints expected by the op(https://www.tensorflow.org/api_docs/python/tf/raw_ops/SdcaOptimizer).", "transitive": false, "more_info_path": "/v/40471/f17", "id": "pyup.io-40471", "type": "cve", "cve": "CVE-2021-29572"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow versions 2.5.0, 2.4.2, 2.3.3, 2.2.3 and 2.1.4 updates its dependency \"curl\" to a secure version (7.76.0).", "transitive": true, "more_info_path": "/v/40776/f17", "id": "pyup.io-40776", "type": "cve", "cve": "CVE-2020-8285"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0a0,<2.1.2", ">=2.2.0a0,<2.2.1", ">=2.3.0a0,<2.3.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 include a fix for CVE-2020-15202: In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the 'Shard' API in TensorFlow expects the last argument to be a function taking two 'int64' (i.e., 'long long') arguments. However, there are several places in TensorFlow where a lambda taking 'int' or 'int32' arguments is being used. In these cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on how the two arguments of the lambda are used, this can result in segfaults, read/write outside of heap allocated arrays, stack overflows, or data corruption.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6fg-mjxg-hqq4", "transitive": false, "more_info_path": "/v/39943/f17", "id": "pyup.io-39943", "type": "cve", "cve": "CVE-2020-15202"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29211: Segfault when 'tf.histogram_fixed_width' is called with NaN values.", "transitive": false, "more_info_path": "/v/48651/f17", "id": "pyup.io-48651", "type": "cve", "cve": "CVE-2022-29211"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29533: An attacker can trigger a denial of service via a 'CHECK' failure by passing an empty image to 'tf.raw_ops.DrawBoundingBoxes'. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/ea34a18dc3f5c8d80a40ccca1404f343b5d55f91/tensorflow/core/kernels/image/draw_bounding_box_op.cc#L148-L165) uses 'CHECK_*' assertions instead of 'OP_REQUIRES' to validate user controlled inputs. Whereas 'OP_REQUIRES' allows returning an error condition back to the user, the 'CHECK_*' macros result in a crash if the condition is false, similar to 'assert'. In this case, 'height' is 0 from the 'images' input. This results in 'max_box_row_clamp' being negative and the assertion being falsified, followed by aborting program execution.", "transitive": false, "more_info_path": "/v/40692/f17", "id": "pyup.io-40692", "type": "cve", "cve": "CVE-2021-29533"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a integer overflow in TFLite concatentation. See CVE-2021-29601.", "transitive": false, "more_info_path": "/v/40756/f17", "id": "pyup.io-40756", "type": "cve", "cve": "CVE-2021-29601"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by 0 in 'MaxPoolGradWithArgmax'. See CVE-2021-29573.", "transitive": false, "more_info_path": "/v/40727/f17", "id": "pyup.io-40727", "type": "cve", "cve": "CVE-2021-29573"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap OOB access in unicode ops. See CVE-2021-29559.", "transitive": false, "more_info_path": "/v/40716/f17", "id": "pyup.io-40716", "type": "cve", "cve": "CVE-2021-29559"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 update its dependency 'curl' to v7.78.0 to handle CVE-2021-22924.", "transitive": true, "more_info_path": "/v/43748/f17", "id": "pyup.io-43748", "type": "cve", "cve": "CVE-2021-22924"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 update its dependency 'curl' to v7.78.0 to handle CVE-2021-22923.", "transitive": true, "more_info_path": "/v/43747/f17", "id": "pyup.io-43747", "type": "cve", "cve": "CVE-2021-22923"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix an undefined behavior in 'MaxPool3DGradGrad'. See CVE-2021-29574.", "transitive": false, "more_info_path": "/v/40728/f17", "id": "pyup.io-40728", "type": "cve", "cve": "CVE-2021-29574"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in optimized pooling implementations in TFLite. See CVE-2021-29586.", "transitive": false, "more_info_path": "/v/40739/f17", "id": "pyup.io-40739", "type": "cve", "cve": "CVE-2021-29586"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap OOB read in TFLite's implementation of 'Minimum' or 'Maximum'. See CVE-2021-29590.", "transitive": false, "more_info_path": "/v/40743/f17", "id": "pyup.io-40743", "type": "cve", "cve": "CVE-2021-29590"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37661: In affected versions an attacker can cause a denial of service in 'boosted_trees_create_quantile_stream_resource' by using negative arguments. The implementation (https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/boosted_trees/quantile_ops.cc#L96) does not validate that 'num_streams' only contains non-negative numbers. In turn, this results in using this value to allocate memory (https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/boosted_trees/quantiles/quantile_stream_resource.h#L31-L40). However, 'reserve' receives an unsigned integer so there is an implicit conversion from a negative value to a large positive unsigned. This results in a crash from the standard library. The Tensorflow team has patched the issue in GitHub commit 8a84f7a2b5a2b27ecf88d25bad9ac777cd2f7992.", "transitive": false, "more_info_path": "/v/41136/f17", "id": "pyup.io-41136", "type": "cve", "cve": "CVE-2021-37661"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27780.", "transitive": true, "more_info_path": "/v/48661/f17", "id": "pyup.io-48661", "type": "cve", "cve": "CVE-2022-27780"}, {"specs": [">=2.2.0rc0,<2.2.1", ">=2.3.0rc0,<2.3.1"], "advisory": "TensorFlow versions 2.2.1 and 2.3.1 includes a fix for CVE-2020-15212: In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to \"segment_ids_data\" can alter \"output_index\" and then write to outside of \"output_data\" buffer. This might result in a segmentation fault but it can also be used to further corrupt the memory and can be chained with other vulnerabilities to create more advanced exploits. The issue was patched in commit 204945b19e44b57906c9344c0d00120eeeae178a. A potential workaround is to add a custom \"Verifier\" to the model loading code to ensure that the segment ids are all positive, although this only handles the case when the segment ids are stored statically in the model. A similar validation could be done if the segment ids are generated at runtime between inference steps. If the segment ids are generated as outputs of a tensor during inference steps, then there are no possible workaround and users are advised to upgrade to patched code.", "transitive": false, "more_info_path": "/v/39852/f17", "id": "pyup.io-39852", "type": "cve", "cve": "CVE-2020-15212"}, {"specs": [">=2.2.0rc0,<2.2.1", ">=2.3.0rc0,<2.3.1"], "advisory": "TensorFlow versions 2.2.1 and 2.3.1 includes a fix for CVE-2020-15214: In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger a write out bounds / segmentation fault if the segment ids are not sorted. Code assumes that the segment ids are in increasing order, using the last element of the tensor holding them to determine the dimension of output tensor. This results in allocating insufficient memory for the output tensor and in a write outside the bounds of the output array. This usually results in a segmentation fault, but depending on runtime conditions it can provide for a write gadget to be used in future memory corruption-based exploits. The issue was patched in commit 204945b19e44b57906c9344c0d00120eeeae178a. A potential workaround is to add a custom \"Verifier\" to the model loading code to ensure that the segment ids are sorted, although this only handles the case when the segment ids are stored statically in the model. A similar validation could be done if the segment ids are generated at runtime between inference steps. If the segment ids are generated as outputs of a tensor during inference steps, then there are no possible workaround and users are advised to upgrade to patched code.", "transitive": false, "more_info_path": "/v/39850/f17", "id": "pyup.io-39850", "type": "cve", "cve": "CVE-2020-15214"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37635: In affected versions the implementation of sparse reduction operations in TensorFlow can trigger accesses outside of bounds of heap allocated data. The [implementation](https://github.com/tensorflow/tensorflow/blob/a1bc56203f21a5a4995311825ffaba7a670d7747/tensorflow/core/kernels/sparse_reduce_op.cc#L217-L228) fails to validate that each reduction group does not overflow and that each corresponding index does not point to outside the bounds of the input tensor. The Tensorflow team has patched the issue in GitHub commit 87158f43f05f2720a374f3e6d22a7aaa3a33f750.", "transitive": false, "more_info_path": "/v/41110/f17", "id": "pyup.io-41110", "type": "cve", "cve": "CVE-2021-37635"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of 'SVDF'. See CVE-2021-29598.", "transitive": false, "more_info_path": "/v/40751/f17", "id": "pyup.io-40751", "type": "cve", "cve": "CVE-2021-29598"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix a heap buffer overflow in 'Conv3DBackprop*'. See CVE-2021-29520.", "transitive": false, "more_info_path": "/v/40680/f17", "id": "pyup.io-40680", "type": "cve", "cve": "CVE-2021-29520"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0a0,<2.1.2", ">=2.2.0a0,<2.2.1", ">=2.3.0a0,<2.3.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, and 2.3.1 include a fix for CVE-2020-15209: In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a \"nullptr\" buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one. The runtime assumes that these buffers are written to before a possible read, hence they are initialized with \"nullptr\". However, by changing the buffer index for a tensor and implicitly converting that tensor to be a read-write one, as there is nothing in the model that writes to it, we get a null pointer dereference. The issue was patched in commit 0b5662bc.", "transitive": false, "more_info_path": "/v/39960/f17", "id": "pyup.io-39960", "type": "cve", "cve": "CVE-2020-15209"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23567: The implementations of 'Sparse*Cwise*' ops are vulnerable to integer overflows. These can be used to trigger large allocations (so, OOM based denial of service) or 'CHECK'-fails when building new 'TensorShape' objects (so, assert failures based denial of service). There are missing some validation on the shapes of the input tensors as well as directly constructing a large 'TensorShape' with user-provided dimensions.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-rrx2-r989-2c43", "transitive": false, "more_info_path": "/v/44794/f17", "id": "pyup.io-44794", "type": "cve", "cve": "CVE-2022-23567"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41216: In affected versions, the shape inference function for 'Transpose' is vulnerable to a heap buffer overflow. This occurs whenever 'perm' contains negative elements. The shape inference function does not validate that the indices in 'perm' are all valid. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-3ff2-r28g-w7h9\r\nhttps://github.com/tensorflow/tensorflow/commit/c79ba87153ee343401dbe9d1954d7f79e521eb14", "transitive": false, "more_info_path": "/v/42463/f17", "id": "pyup.io-42463", "type": "cve", "cve": "CVE-2021-41216"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by 0 in 'QuantizedMul'. See CVE-2021-29528.", "transitive": false, "more_info_path": "/v/40687/f17", "id": "pyup.io-40687", "type": "cve", "cve": "CVE-2021-29528"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a 'CHECK'-fail in 'tf.raw_ops.EncodePng'. See CVE-2021-29531.", "transitive": false, "more_info_path": "/v/40690/f17", "id": "pyup.io-40690", "type": "cve", "cve": "CVE-2021-29531"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29205: Segfault due to missing support for quantized types.", "transitive": false, "more_info_path": "/v/48644/f17", "id": "pyup.io-48644", "type": "cve", "cve": "CVE-2022-29205"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41880: When the 'BaseCandidateSamplerOp' function receives a value in 'true_classes' larger than 'range_max', a heap oob read occurs.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-8w5g-3wcv-9g2j", "transitive": false, "more_info_path": "/v/51941/f17", "id": "pyup.io-51941", "type": "cve", "cve": "CVE-2022-41880"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29199: Missing validation which causes denial of service via 'LoadAndRemapMatrix'.", "transitive": false, "more_info_path": "/v/48639/f17", "id": "pyup.io-48639", "type": "cve", "cve": "CVE-2022-29199"}, {"specs": [">=2.0.0a0,<2.0.1", "<1.15.2"], "advisory": "Tensorflow versions 1.15.2 and 2.0.1 update its dependency \"SQLite\" to handle CVE-2019-19646.", "transitive": true, "more_info_path": "/v/39537/f17", "id": "pyup.io-39537", "type": "cve", "cve": "CVE-2019-19646"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29213: Crashes stemming from incomplete validation in signal ops.", "transitive": false, "more_info_path": "/v/48653/f17", "id": "pyup.io-48653", "type": "cve", "cve": "CVE-2022-29213"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix a segfault in 'SparseCountSparseOutput'. See CVE-2021-29521.", "transitive": false, "more_info_path": "/v/40679/f17", "id": "pyup.io-40679", "type": "cve", "cve": "CVE-2021-29521"}, {"specs": ["<1.10.0"], "advisory": "tensorflow before 1.10.0 uses an insecure grpc dependency.", "transitive": false, "more_info_path": "/v/36375/f17", "id": "pyup.io-36375", "type": "pve", "cve": "PVE-2021-36375"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a `SavedModel` such that assertions in `function.cc` would be falsified and crash the Python interpreter. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44871/f17", "id": "pyup.io-44871", "type": "cve", "cve": "CVE-2022-23586"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29538: An attacker can cause a division by zero to occur in 'Conv2DBackpropFilter'. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd948f924aa8cd62f87dbb7c3da/tensorflow/core/kernels/conv_grad_filter_ops.cc#L513-L522) computes a divisor based on user provided data (i.e., the shape of the tensors given as arguments). If all shapes are empty then 'work_unit_size' is 0. Since there is no check for this case before division, this results in a runtime exception, with potential to be abused for a denial of service.", "transitive": false, "more_info_path": "/v/40697/f17", "id": "pyup.io-40697", "type": "cve", "cve": "CVE-2021-29538"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37644: In affected versions providing a negative element to 'num_elements' list argument of 'tf.raw_ops.TensorListReserve' causes the runtime to abort the process due to reallocating a 'std::vector' to have a negative number of elements. The implementation (https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/list_kernels.cc#L312) calls 'std::vector.resize()' with the new size controlled by input given by the user, without checking that this input is valid. The Tensorflow team has patched the issue in GitHub commit 8a6e874437670045e6c7dc6154c7412b4a2135e2.", "transitive": false, "more_info_path": "/v/41119/f17", "id": "pyup.io-41119", "type": "cve", "cve": "CVE-2021-37644"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. When decoding a tensor from protobuf, a TensorFlow process can encounter cases where a `CHECK` assertion is invalidated based on user controlled arguments, if the tensors have an invalid `dtype` and 0 elements or an invalid shape. This allows attackers to cause denial of services in TensorFlow processes. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44856/f17", "id": "pyup.io-44856", "type": "cve", "cve": "CVE-2022-23571"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1"], "advisory": "Tensorflow version 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37665:\r\nIn affected versions, due to incomplete validation in MKL implementation of requantization, an attacker can trigger undefined behavior via binding a reference to a null pointer or can access data outside the bounds of heap allocated arrays. The implementation (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/mkl/mkl_requantization_range_per_channel_op.cc) does not validate the dimensions of the \"input\" tensor. A similar issue occurs in \"MklRequantizePerChannelOp\". The implementation (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/mkl/mkl_requantize_per_channel_op.cc) does not perform full validation for all the input arguments. The Tensorflow team has patched the issue in GitHub commit 9e62869465573cb2d9b5053f1fa02a81fce21d69 and in the Github commit 203214568f5bc237603dbab6e1fd389f1572f5c9.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-v82p-hv3v-p6qp\r\nhttps://github.com/tensorflow/tensorflow/commit/203214568f5bc237603dbab6e1fd389f1572f5c9\r\nhttps://github.com/tensorflow/tensorflow/commit/9e62869465573cb2d9b5053f1fa02a81fce21d69", "transitive": false, "more_info_path": "/v/41140/f17", "id": "pyup.io-41140", "type": "cve", "cve": "CVE-2021-37665"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-22576.", "transitive": true, "more_info_path": "/v/48655/f17", "id": "pyup.io-48655", "type": "cve", "cve": "CVE-2022-22576"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix vulnerabilities caused by incomplete validation in 'SparseReshape'. See CVE-2021-29611.", "transitive": false, "more_info_path": "/v/40763/f17", "id": "pyup.io-40763", "type": "cve", "cve": "CVE-2021-29611"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix an undefined behavior and a 'CHECK'-fail in 'FractionalMaxPoolGrad'. See CVE-2021-29580.", "transitive": false, "more_info_path": "/v/40731/f17", "id": "pyup.io-40731", "type": "cve", "cve": "CVE-2021-29580"}, {"specs": [">=2.0.0a0,<2.0.1", "<1.15.2"], "advisory": "Tensorflow versions 1.15.2 and 2.0.1 includes a fix for CVE-2020-5215: In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a tf.float16 value. Similar effects can be obtained by manipulating saved models and checkpoints whereby replacing a scalar tf.float16 value with a scalar string will trigger this issue due to automatic conversions. This can be easily reproduced by tf.constant(\"hello\", tf.float16), if eager execution is enabled.", "transitive": false, "more_info_path": "/v/37776/f17", "id": "pyup.io-37776", "type": "cve", "cve": "CVE-2020-5215"}, {"specs": [">=2.3.0rc0,<2.3.1"], "advisory": "TensorFlow 2.3.1 includes a fix for CVE-2020-15200: In Tensorflow before version 2.3.1, the \"RaggedCountSparseOutput\" implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the \"splits\" tensor generate a valid partitioning of the \"values\" tensor. Thus, the code sets up conditions to cause a heap buffer overflow. A \"BatchedMap\" is equivalent to a vector where each element is a hashmap. However, if the first element of \"splits_values\" is not 0, \"batch_idx\" will never be 1, hence there will be no hashmap at index 0 in \"per_batch_counts\". Trying to access that in the user code results in a segmentation fault. The issue was patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-x7rp-74x2-mjf3", "transitive": false, "more_info_path": "/v/39863/f17", "id": "pyup.io-39863", "type": "cve", "cve": "CVE-2020-15200"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21733: The implementation of 'StringNGrams' can be used to trigger a denial of service attack by causing an out of memory condition after an integer overflow. There is missing a validation on 'pad_witdh' and that result in computing a negative value for 'ngram_width' which is later used to allocate parts of the output.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-98j8-c9q4-r38g", "transitive": false, "more_info_path": "/v/44785/f17", "id": "pyup.io-44785", "type": "cve", "cve": "CVE-2022-21733"}, {"specs": [">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2", ">=2.5.0rc0,<2.5.0"], "advisory": "Tensorflow versions 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 include a fix for CVE-2021-29567: Due to lack of validation in 'tf.raw_ops.SparseDenseCwiseMul', an attacker can trigger denial of service via 'CHECK'-fails or accesses to outside the bounds of heap allocated data. Since the implementation (https://github.com/tensorflow/tensorflow/blob/38178a2f7a681a7835bb0912702a134bfe3b4d84/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc#L68-L80), it only validates the rank of the input arguments but no constraints between dimensions (https://www.tensorflow.org/api_docs/python/tf/raw_ops/SparseDenseCwiseMul) and an attacker can abuse them to trigger internal 'CHECK' assertions (and cause program termination, denial of service) or to write to memory outside of bounds of heap allocated tensor buffers.", "transitive": false, "more_info_path": "/v/40469/f17", "id": "pyup.io-40469", "type": "cve", "cve": "CVE-2021-29567"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37649: The code for 'tf.raw_ops.UncompressElement' can be made to trigger a null pointer dereference. The implementation (https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/data/experimental/compression_ops.cc#L50-L53) obtains a pointer to a 'CompressedElement' from a 'Variant' tensor and then proceeds to dereference it for decompressing. There is no check that the 'Variant' tensor contained a 'CompressedElement', so the pointer is actually 'nullptr'. The Tensorflow team has patched the issue in GitHub commit 7bdf50bb4f5c54a4997c379092888546c97c3ebd.", "transitive": false, "more_info_path": "/v/41124/f17", "id": "pyup.io-41124", "type": "cve", "cve": "CVE-2021-37649"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29209: Type confusion leading to 'CHECK'-failure based denial of service.", "transitive": false, "more_info_path": "/v/48654/f17", "id": "pyup.io-48654", "type": "cve", "cve": "CVE-2022-29209"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0rc0,<2.1.2", ">=2.2.0rc0,<2.2.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2 and 2.2.1 updates its dependency \"SQLite\" to handle CVE-2020-13631.", "transitive": true, "more_info_path": "/v/39900/f17", "id": "pyup.io-39900", "type": "cve", "cve": "CVE-2020-13631"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. Under certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44872/f17", "id": "pyup.io-44872", "type": "cve", "cve": "CVE-2022-23587"}, {"specs": [">=2.3.0rc0,<2.3.1"], "advisory": "TensorFlow 2.3.1 includes a fix for CVE-2020-15199: In Tensorflow before version 2.3.1, the \"RaggedCountSparseOutput\" does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the \"splits\" tensor has the minimum required number of elements. Code uses this quantity to initialize a different data structure. Since \"BatchedMap\" is equivalent to a vector, it needs to have at least one element to not be \"nullptr\". If user passes a \"splits\" tensor that is empty or has exactly one element, we get a \"SIGABRT\" signal raised by the operating system. The issue was patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-x5cp-9pcf-pp3h", "transitive": false, "more_info_path": "/v/39864/f17", "id": "pyup.io-39864", "type": "cve", "cve": "CVE-2020-15199"}, {"specs": ["<1.7.0"], "advisory": "TensorFlow before 1.7.0 has an integer overflow that causes an out-of-bounds read, possibly causing disclosure of the contents of process memory. This occurs in the DecodeBmp feature of the BMP decoder in core/kernels/decode_bmp_op.cc. See CVE-2018-21233.", "transitive": false, "more_info_path": "/v/40787/f17", "id": "pyup.io-40787", "type": "cve", "cve": "CVE-2018-21233"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29549: An attacker can cause a runtime division by zero error and denial of service in `tf.raw_ops.QuantizedBatchNormWithGlobalNormalization`. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/6f26b3f3418201479c264f2a02000880d8df151c/tensorflow/core/kernels/quantized_add_op.cc#L289-L295) computes a modulo operation without validating that the divisor is not zero. Since `vector_num_elements` is determined based on input shapes (https://github.com/tensorflow/tensorflow/blob/6f26b3f3418201479c264f2a02000880d8df151c/tensorflow/core/kernels/quantized_add_op.cc#L522-L544), a user can trigger scenarios where this quantity is 0.", "transitive": false, "more_info_path": "/v/40706/f17", "id": "pyup.io-40706", "type": "cve", "cve": "CVE-2021-29549"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4"], "advisory": "Tensorflow version 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37674:\r\nIn affected versions, an attacker can trigger a denial of service via a segmentation fault in \"tf.raw_ops.MaxPoolGrad\" caused by missing validation. The implementation (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/maxpooling_op.cc) misses some validation for the \"orig_input\" and \"orig_output\" tensors. The fixes for CVE-2021-29579 were incomplete. The Tensorflow team has patched the issue in GitHub commit 136b51f10903e044308cf77117c0ed9871350475.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-7ghq-fvr3-pj2x\r\nhttps://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-068.md\r\nhttps://github.com/tensorflow/tensorflow/commit/136b51f10903e044308cf77117c0ed9871350475", "transitive": false, "more_info_path": "/v/41149/f17", "id": "pyup.io-41149", "type": "cve", "cve": "CVE-2021-37674"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35974: Segfault in 'QuantizeDownAndShrinkRange'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-vgvh-2pf4-jr2x", "transitive": false, "more_info_path": "/v/51068/f17", "id": "pyup.io-51068", "type": "cve", "cve": "CVE-2022-35974"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "TensorFlow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41226: In affected versions, the implementation of 'SparseBinCount' is vulnerable to a heap OOB access. This is because of missing validation between the elements of the 'values' argument and the shape of the sparse output. The fix is also included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-374m-jm66-3vj8\r\nhttps://github.com/tensorflow/tensorflow/commit/f410212e373eb2aec4c9e60bf3702eba99a38aba", "transitive": false, "more_info_path": "/v/42473/f17", "id": "pyup.io-42473", "type": "cve", "cve": "CVE-2021-41226"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37659: In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in all binary cwise operations that don't require broadcasting (e.g., gradients of binary cwise operations). The [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/cwise_ops_common.h#L264) assumes that the two inputs have exactly the same number of elements but does not check that. Hence, when the eigen functor executes it triggers heap OOB reads and undefined behavior due to binding to nullptr. We have patched the issue in GitHub commit 93f428fd1768df147171ed674fee1fc5ab8309ec.", "transitive": false, "more_info_path": "/v/41134/f17", "id": "pyup.io-41134", "type": "cve", "cve": "CVE-2021-37659"}, {"specs": [">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow version 2.6.1 includes a fix for CVE-2021-41211: In affected versions, the shape inference code for 'QuantizeV2' can trigger a read outside of bounds of heap allocated array. This occurs whenever 'axis' is a negative value less than '-1'. In this case, we are accessing data before the start of a heap buffer. The code allows 'axis' to be an optional argument ('s' would contain an 'error::NOT_FOUND' error code). Otherwise, it assumes that 'axis' is a valid index into the dimensions of the 'input' tensor. If 'axis' is less than '-1' then this results in a heap OOB read. The fix is included in TensorFlow 2.7.0. \r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-cvgx-3v3q-m36c\r\nhttps://github.com/tensorflow/tensorflow/commit/a0d64445116c43cf46a5666bd4eee28e7a82f244", "transitive": false, "more_info_path": "/v/42458/f17", "id": "pyup.io-42458", "type": "cve", "cve": "CVE-2021-41211"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21735: The implementation of 'FractionalMaxPool' can be made to crash a TensorFlow process via a division by 0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-87v6-crgm-2gfj", "transitive": false, "more_info_path": "/v/44787/f17", "id": "pyup.io-44787", "type": "cve", "cve": "CVE-2022-21735"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27782.", "transitive": true, "more_info_path": "/v/48663/f17", "id": "pyup.io-48663", "type": "cve", "cve": "CVE-2022-27782"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. Under certain scenarios, TensorFlow can fail to specialize a type during shape inference. This case is covered by the `DCHECK` function however, `DCHECK` is a no-op in production builds and an assertion failure in debug builds. In the first case execution proceeds to the `ValueOrDie` line. This results in an assertion failure as `ret` contains an error `Status`, not a value. In the second case we also get a crash due to the assertion failure. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, and TensorFlow 2.6.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44857/f17", "id": "pyup.io-44857", "type": "cve", "cve": "CVE-2022-23572"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37675: In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference implementation (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/framework/common_shape_fns.cc#L577) is missing several validations before doing divisions and modulo operations. The Tensorflow team has patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4.", "transitive": false, "more_info_path": "/v/41150/f17", "id": "pyup.io-41150", "type": "cve", "cve": "CVE-2021-37675"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41884: If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. \r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-jq6x-99hj-q636", "transitive": false, "more_info_path": "/v/51943/f17", "id": "pyup.io-51943", "type": "cve", "cve": "CVE-2022-41884"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4"], "advisory": "Tensorflow version 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37669:\r\nIn affected versions, an attacker can cause denial of service in applications serving models using \"tf.raw_ops.NonMaxSuppressionV5\" by triggering a division by 0. The implementation (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/image/non_max_suppression_op.cc#L170-L271) uses a user controlled argument to resize a \"std::vector\". However, as \"std::vector::resize\" takes the size argument as a \"size_t\" and \"output_size\" is an \"int\", there is an implicit conversion to unsigned. If the attacker supplies a negative value, this conversion results in a crash. A similar issue occurs in \"CombinedNonMaxSuppression\". The Tensorflow team has patched the issue in GitHub commit 3a7362750d5c372420aa8f0caf7bf5b5c3d0f52d and commit b5cdbf12ffcaaffecf98f22a6be5a64bb96e4f58.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-vmjw-c2vp-p33c\r\nhttps://github.com/tensorflow/tensorflow/commit/3a7362750d5c372420aa8f0caf7bf5b5c3d0f52d\r\nhttps://github.com/tensorflow/tensorflow/commit/b5cdbf12ffcaaffecf98f22a6be5a64bb96e4f58", "transitive": false, "more_info_path": "/v/41144/f17", "id": "pyup.io-41144", "type": "cve", "cve": "CVE-2021-37669"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by 0 in 'FusedBatchNorm'. See CVE-2021-29555.", "transitive": false, "more_info_path": "/v/40712/f17", "id": "pyup.io-40712", "type": "cve", "cve": "CVE-2021-29555"}, {"specs": [">=2.3.0rc0,<2.3.1"], "advisory": "TensorFlow 2.3.1 includes a fix for CVE-2020-15201: In Tensorflow before version 2.3.1, the \"RaggedCountSparseOutput\" implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the \"splits\" tensor generate a valid partitioning of the \"values\" tensor. Hence, the code is prone to heap buffer overflow. If \"split_values\" does not end with a value at least \"num_values\" then the \"while\" loop condition will trigger a read outside of the bounds of \"split_values\" once \"batch_idx\" grows too large. The issue was patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-p5f8-gfw5-33w4", "transitive": false, "more_info_path": "/v/39862/f17", "id": "pyup.io-39862", "type": "cve", "cve": "CVE-2020-15201"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix vulnerabilities caused by incomplete validation in 'tf.raw_ops.CTCLoss'. See CVE-2021-29613.", "transitive": false, "more_info_path": "/v/40766/f17", "id": "pyup.io-40766", "type": "cve", "cve": "CVE-2021-29613"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29537: An attacker can cause a heap buffer overflow in `QuantizedResizeBilinear` by passing in invalid thresholds for the quantization. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/50711818d2e61ccce012591eeb4fdf93a8496726/tensorflow/core/kernels/quantized_resize_bilinear_op.cc#L705-L706) assumes that the 2 arguments are always valid scalars and tries to access the numeric value directly.", "transitive": false, "more_info_path": "/v/40695/f17", "id": "pyup.io-40695", "type": "cve", "cve": "CVE-2021-29537"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29618: Passing a complex argument to `tf.transpose` at the same time as passing 'conjugate=True' argument results in a crash.", "transitive": false, "more_info_path": "/v/40769/f17", "id": "pyup.io-40769", "type": "cve", "cve": "CVE-2021-29618"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a stack overflow in 'ParseAttrValue' with nested tensors. See CVE-2021-29615.", "transitive": false, "more_info_path": "/v/40767/f17", "id": "pyup.io-40767", "type": "cve", "cve": "CVE-2021-29615"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41897: If 'FractionMaxPoolGrad' is given outsize inputs 'row_pooling_sequence' and 'col_pooling_sequence', TensorFlow will crash.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-f2w8-jw48-fr7j", "transitive": false, "more_info_path": "/v/51955/f17", "id": "pyup.io-51955", "type": "cve", "cve": "CVE-2022-41897"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. The implementation of `GetInitOp` is vulnerable to a crash caused by dereferencing a null pointer. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44862/f17", "id": "pyup.io-44862", "type": "cve", "cve": "CVE-2022-23577"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29558: An attacker can cause a heap buffer overflow in `tf.raw_ops.SparseSplit`. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/699bff5d961f0abfde8fa3f876e6d241681fbef8/tensorflow/core/util/sparse/sparse_tensor.h#L528-L530) accesses an array element based on a user controlled offset.", "transitive": false, "more_info_path": "/v/40715/f17", "id": "pyup.io-40715", "type": "cve", "cve": "CVE-2021-29558"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41203: In affected versions, an attacker can trigger undefined behavior, integer overflows, segfaults and 'CHECK'-fail crashes if they can change saved checkpoints from outside of TensorFlow. This is because the checkpoints loading infrastructure is missing validation for invalid file formats.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-7pxj-m4jf-r6h2", "transitive": false, "more_info_path": "/v/42450/f17", "id": "pyup.io-42450", "type": "cve", "cve": "CVE-2021-41203"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0a0,<2.1.2", ">=2.2.0a0,<2.2.1", ">=2.3.0a0,<2.3.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 include a fix for CVE-2020-15205: In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the 'data_splits' argument of 'tf.raw_ops.StringNGrams' lacks validation. This allows a user to pass values that can cause heap overflow errors and even leak contents of memory In the linked code snippet, all the binary strings after 'ee ff' are contents from the memory stack. Since these can contain return addresses, this data leak can be used to defeat ASLR.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-g7p5-5759-qv46", "transitive": false, "more_info_path": "/v/39940/f17", "id": "pyup.io-39940", "type": "cve", "cve": "CVE-2020-15205"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35987: 'CHECK' fail in 'DenseBincount'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-w62h-8xjm-fv49", "transitive": false, "more_info_path": "/v/51076/f17", "id": "pyup.io-51076", "type": "cve", "cve": "CVE-2022-35987"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4"], "advisory": "Tensorflow version 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37677:\r\nIn affected versions the shape inference code for \"tf.raw_ops.Dequantize\" has a vulnerability that could trigger a denial of service via a segfault if an attacker provides invalid arguments. The shape inference implementation (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/ops/array_ops.cc#L2999-L3014) uses \"axis\" to select between two different values for \"minmax_rank\" which is then used to retrieve tensor dimensions. However, code assumes that \"axis\" can be either \"-1\" or a value greater than \"-1\", with no validation for the other values. The Tensorflow team has patched the issue in GitHub commit da857cfa0fde8f79ad0afdbc94e88b5d4bbec764.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-qfpc-5pjr-mh26\r\nhttps://github.com/tensorflow/tensorflow/commit/da857cfa0fde8f79ad0afdbc94e88b5d4bbec764", "transitive": false, "more_info_path": "/v/41152/f17", "id": "pyup.io-41152", "type": "cve", "cve": "CVE-2021-37677"}, {"specs": [">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37645: In affected versions the implementation of `tf.raw_ops.QuantizeAndDequantizeV4Grad` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L126) uses the `axis` value as the size argument to `absl::InlinedVector` constructor. But, the constructor uses an unsigned type for the argument, so the implicit conversion transforms the negative value to a large integer. The Tensorflow team has patched the issue in GitHub commit 96f364a1ca3009f98980021c4b32be5fdcca33a1.", "transitive": false, "more_info_path": "/v/41120/f17", "id": "pyup.io-41120", "type": "cve", "cve": "CVE-2021-37645"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36011: Null dereference on MLIR on empty function attributes.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-fv43-93gv-vm8f", "transitive": false, "more_info_path": "/v/51095/f17", "id": "pyup.io-51095", "type": "cve", "cve": "CVE-2022-36011"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36027: Segfault TFLite converter on per-channel quantized transposed convolutions.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-79h2-q768-fpxr", "transitive": false, "more_info_path": "/v/51105/f17", "id": "pyup.io-51105", "type": "cve", "cve": "CVE-2022-36027"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.4.0rc0,<2.4.2", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29545: An attacker can trigger a denial of service via a 'CHECK'-fail in converting sparse tensors to CSR Sparse matrices. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/800346f2c03a27e182dd4fba48295f65e7790739/tensorflow/core/kernels/sparse/kernels.cc#L66) does a double redirection to access an element of an array allocated on the heap. If the value at 'indices(i, 0)' is such that 'indices(i, 0) + 1' is outside the bounds of 'csr_row_ptr', this results in writing outside of bounds of heap allocated data.", "transitive": false, "more_info_path": "/v/40703/f17", "id": "pyup.io-40703", "type": "cve", "cve": "CVE-2021-29545"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35972: Segfault in 'QuantizedBiasAdd'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-4pc4-m9mj-v2r9", "transitive": false, "more_info_path": "/v/51066/f17", "id": "pyup.io-51066", "type": "cve", "cve": "CVE-2022-35972"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36014: Null-dereference in 'mlir::tfg::TFOp::nameAttr'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-7j3m-8g3c-9qqq", "transitive": false, "more_info_path": "/v/51098/f17", "id": "pyup.io-51098", "type": "cve", "cve": "CVE-2022-36014"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0rc0,<2.1.2", ">=2.2.0rc0,<2.2.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2 and 2.2.1 updates its dependency \"SQLite\" to handle CVE-2020-13435.", "transitive": true, "more_info_path": "/v/39902/f17", "id": "pyup.io-39902", "type": "cve", "cve": "CVE-2020-13435"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37667: In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in 'tf.raw_ops.UnicodeEncode'. The implementation (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/unicode_ops.cc#L533-L539) reads the first dimension of the 'input_splits' tensor before validating that this tensor is not empty. The Tensorflow team has patched the issue in GitHub commit 2e0ee46f1a47675152d3d865797a18358881d7a6.", "transitive": false, "more_info_path": "/v/41142/f17", "id": "pyup.io-41142", "type": "cve", "cve": "CVE-2021-37667"}, {"specs": ["<2.4.0"], "advisory": "TensorFlow 2.4.0 includes a fix for CVE-2020-15266: In Tensorflow before version 2.4.0, when the 'boxes' argument of 'tf.image.crop_and_resize' has a very large value, the CPU kernel implementation receives it as a C++ 'nan' floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault.\r\nhttps://github.com/tensorflow/tensorflow/issues/42129\r\nhttps://github.com/tensorflow/tensorflow/pull/42143/commits/3ade2efec2e90c6237de32a19680caaa3ebc2845\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-xwhf-g6j5-j5gc", "transitive": false, "more_info_path": "/v/40795/f17", "id": "pyup.io-40795", "type": "cve", "cve": "CVE-2020-15266"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21732: The implementation of 'ThreadPoolHandle' can be used to trigger a denial of service attack by allocating too much memory. This is because the 'num_threads' argument is only checked to not be negative, but there is no upper bound on its value.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-c582-c96p-r5cq", "transitive": false, "more_info_path": "/v/44784/f17", "id": "pyup.io-44784", "type": "cve", "cve": "CVE-2022-21732"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21740: The implementation of 'SparseCountSparseOutput' is vulnerable to a heap overflow.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-44qp-9wwf-734r", "transitive": false, "more_info_path": "/v/44792/f17", "id": "pyup.io-44792", "type": "cve", "cve": "CVE-2022-21740"}, {"specs": [">=2.2.0rc0,<2.2.1", ">=2.3.0rc0,<2.3.1"], "advisory": "Tensorflow versions 2.2.1 and 2.3.1 include a fix for CVE-2020-15192: In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes a list of strings to 'dlpack.to_dlpack' there is a memory leak following an expected validation failure. The issue occurs because the 'status' argument during validation failures is not properly checked. Since each of the above methods can return an error status, the 'status' value must be checked before continuing.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-8fxw-76px-3rxv", "transitive": false, "more_info_path": "/v/39871/f17", "id": "pyup.io-39871", "type": "cve", "cve": "CVE-2020-15192"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35941: 'CHECK' failure in 'AvgPoolOp'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-mgmh-g2v6-mqw5", "transitive": false, "more_info_path": "/v/51053/f17", "id": "pyup.io-51053", "type": "cve", "cve": "CVE-2022-35941"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41910: The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-frqp-wp83-qggv", "transitive": false, "more_info_path": "/v/52348/f17", "id": "pyup.io-52348", "type": "cve", "cve": "CVE-2022-41910"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. TensorFlow is vulnerable to a heap OOB write in `Grappler`. The `set_output` function writes to an array at the specified index. Hence, this gives a malicious user a write primitive. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44854/f17", "id": "pyup.io-44854", "type": "cve", "cve": "CVE-2022-23566"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37647: When a user does not supply arguments that determine a valid sparse tensor, 'tf.raw_ops.SparseTensorSliceDataset' implementation can be made to dereference a null pointer. The implementation (https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L240-L251) has some argument validation but fails to consider the case when either 'indices' or 'values' are provided for an empty sparse tensor when the other is not. If 'indices' is empty, then code that performs validation (https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L260-L261) (i.e., checking that the indices are monotonically increasing) results in a null pointer dereference. If 'indices' as provided by the user is empty, then 'indices' in the C++ code above is backed by an empty 'std::vector', hence calling 'indices->dim_size(0)' results in null pointer dereferencing (same as calling 'std::vector::at()' on an empty vector). The Tensorflow team has patched the issue in GitHub commit 02cc160e29d20631de3859c6653184e3f876b9d7.", "transitive": false, "more_info_path": "/v/41122/f17", "id": "pyup.io-41122", "type": "cve", "cve": "CVE-2021-37647"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23579: The Grappler optimizer in TensorFlow can be used to cause a denial of service by altering a 'SavedModel' such that 'SafeToRemoveIdentity' would trigger 'CHECK' failures.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-5f2r-qp73-37mr", "transitive": false, "more_info_path": "/v/44864/f17", "id": "pyup.io-44864", "type": "cve", "cve": "CVE-2022-23579"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23562: The implementation of 'Range' suffers from integer overflows. These can trigger undefined behavior or, in some scenarios, extremely large allocations.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-qx3f-p745-w4hr", "transitive": false, "more_info_path": "/v/44850/f17", "id": "pyup.io-44850", "type": "cve", "cve": "CVE-2022-23562"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37687: In affected versions TFLite's 'GatherNd' implementation (https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/gather_nd.cc#L124) does not support negative indices but there are no checks for this situation. Hence, an attacker can read arbitrary data from the heap by carefully crafting a model with negative values in 'indices'. Similar issue exists in 'Gather' implementation (https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/gather.cc). The Tensorflow team has patched the issue in GitHub commits bb6a0383ed553c286f87ca88c207f6774d5c4a8f and eb921122119a6b6e470ee98b89e65d721663179d.", "transitive": false, "more_info_path": "/v/41162/f17", "id": "pyup.io-41162", "type": "cve", "cve": "CVE-2021-37687"}, {"specs": ["<1.15.3", ">=2.0.0a0,<2.0.2", ">=2.1.0rc0,<2.1.1"], "advisory": "Tensorflow versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"Apache Spark\" to handle CVE-2019-10099.", "transitive": true, "more_info_path": "/v/39824/f17", "id": "pyup.io-39824", "type": "cve", "cve": "CVE-2019-10099"}, {"specs": ["<1.15.5", ">=2.0.0a0,<2.0.4", ">=2.1.0rc0,<2.1.3", ">=2.2.0rc0,<2.2.2", ">=2.3.0rc0,<2.3.2", ">=2.4.0rc0,<2.4.0"], "advisory": "Tensorflow versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2 and 2.4.0 includes a fix for CVE-2020-26270: In affected versions, running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer.", "transitive": false, "more_info_path": "/v/39720/f17", "id": "pyup.io-39720", "type": "cve", "cve": "CVE-2020-26270"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41888: When running on GPU, 'tf.image.generate_bounding_box_proposals' receives a 'scores' input that must be of rank 4 but is not checked.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-6x99-gv2v-q76v", "transitive": false, "more_info_path": "/v/51947/f17", "id": "pyup.io-51947", "type": "cve", "cve": "CVE-2022-41888"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41898: If 'SparseFillEmptyRowsGrad' is given empty inputs, TensorFlow will crash.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-hq7g-wwwp-q46h", "transitive": false, "more_info_path": "/v/51956/f17", "id": "pyup.io-51956", "type": "cve", "cve": "CVE-2022-41898"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37683: In affected versions the implementation of division in TFLite is vulnerable to a division by 0 error (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/div.cc). There is no check that the divisor tensor does not contain zero elements. The Tensorflow team has patched the issue in GitHub commit 1e206baedf8bef0334cca3eb92bab134ef525a28.", "transitive": false, "more_info_path": "/v/41158/f17", "id": "pyup.io-41158", "type": "cve", "cve": "CVE-2021-37683"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1"], "advisory": "Tensorflow version 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37690:\r\nIn affected versions when running shape functions, some functions (such as 'MutableHashTableShape') produce extra output information in the form of a 'ShapeAndType' struct. The shapes embedded in this struct are owned by an inference context that is cleaned up almost immediately; if the upstream code attempts to access this shape information, it can trigger a segfault. 'ShapeRefiner' is mitigating this for normal output shapes by cloning them (and thus putting the newly created shape under ownership of an inference context that will not die), but the Tensorflow team was not doing the same for shapes and types. This commit fixes that by doing similar logic on output shapes and types. The Tensorflow team has patched the issue in GitHub commit ee119d4a498979525046fba1c3dd3f13a039fbb1.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-3hxh-8cp2-g4hg\r\nhttps://github.com/tensorflow/tensorflow/commit/ee119d4a498979525046fba1c3dd3f13a039fbb1", "transitive": false, "more_info_path": "/v/41166/f17", "id": "pyup.io-41166", "type": "cve", "cve": "CVE-2021-37690"}, {"specs": [">=2.2.0rc0,<2.2.1", ">=2.3.0rc0,<2.3.1"], "advisory": "Tensorflow versions 2.2.1 and 2.3.1 include a fix for CVE-2020-15193: In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of \"dlpack.to_dlpack\" can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a \"reinterpret_cast\". Since the \"PyObject\" is a Python object, not a Tensorflow tensor, the cast to \"EagerTensor\" fails. The issue was patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v", "transitive": false, "more_info_path": "/v/38823/f17", "id": "pyup.io-38823", "type": "cve", "cve": "CVE-2020-15193"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41200: In affected versions, if 'tf.summary.create_file_writer' is called with non-scalar arguments, code crashes due to a 'CHECK'-fail. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-gh8h-7j2j-qv4f", "transitive": false, "more_info_path": "/v/42447/f17", "id": "pyup.io-42447", "type": "cve", "cve": "CVE-2021-41200"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37676: In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in 'tf.raw_ops.SparseFillEmptyRows'. The shape inference implementation (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/ops/sparse_ops.cc#L608-L634) does not validate that the input arguments are not empty tensors. The Tensorflow team has patched the issue in GitHub commit 578e634b4f1c1c684d4b4294f9e5281b2133b3ed.", "transitive": false, "more_info_path": "/v/41151/f17", "id": "pyup.io-41151", "type": "cve", "cve": "CVE-2021-37676"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36019: 'CHECK' fail in 'FakeQuantWithMinMaxVarsPerChannel'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-9j4v-pp28-mxv7", "transitive": false, "more_info_path": "/v/51103/f17", "id": "pyup.io-51103", "type": "cve", "cve": "CVE-2022-36019"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37646: In affected versions the implementation of 'tf.raw_ops.StringNGrams' is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The implementation (https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/string_ngrams_op.cc#L184) calls 'reserve' on a 'tstring' with a value that sometimes can be negative if user supplies negative 'ngram_widths'. The 'reserve' method calls 'TF_TString_Reserve' which has an 'unsigned long' argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer. The Tensorflow team has patched the issue in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5.", "transitive": false, "more_info_path": "/v/41121/f17", "id": "pyup.io-41121", "type": "cve", "cve": "CVE-2021-37646"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a `SavedModel` such that Grappler optimizer would attempt to build a tensor using a reference `dtype`. This would result in a crash due to a `CHECK`-fail in the `Tensor` constructor as reference types are not allowed. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44873/f17", "id": "pyup.io-44873", "type": "cve", "cve": "CVE-2022-23588"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35994: 'CHECK' fail in 'CollectiveGather'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-fhfc-2q7x-929f", "transitive": false, "more_info_path": "/v/51083/f17", "id": "pyup.io-51083", "type": "cve", "cve": "CVE-2022-35994"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35940: Int overflow in 'RaggedRangeOp'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-x989-q2pq-4q5x", "transitive": false, "more_info_path": "/v/51052/f17", "id": "pyup.io-51052", "type": "cve", "cve": "CVE-2022-35940"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0a0,<2.1.2", ">=2.2.0a0,<2.2.1", ">=2.3.0a0,<2.3.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 include a fix for CVE-2020-15207: In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mimic Python's indexing with negative values, TFLite uses 'ResolveAxis' to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the 'DCHECK' does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-q4qf-3fc6-8x34", "transitive": false, "more_info_path": "/v/39938/f17", "id": "pyup.io-39938", "type": "cve", "cve": "CVE-2020-15207"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37637: It is possible to trigger a null pointer dereference in TensorFlow by passing an invalid input to `tf.raw_ops.CompressElement`. The [implementation](https://github.com/tensorflow/tensorflow/blob/47a06f40411a69c99f381495f490536972152ac0/tensorflow/core/data/compression_utils.cc#L34) was accessing the size of a buffer obtained from the return of a separate function call before validating that said buffer is valid. The Tensorflow team has patched the issue in GitHub commit 5dc7f6981fdaf74c8c5be41f393df705841fb7c5.", "transitive": false, "more_info_path": "/v/41112/f17", "id": "pyup.io-41112", "type": "cve", "cve": "CVE-2021-37637"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix an overflow and a denial of service in 'tf.raw_ops.ReverseSequence'. See CVE-2021-29575.", "transitive": false, "more_info_path": "/v/40726/f17", "id": "pyup.io-40726", "type": "cve", "cve": "CVE-2021-29575"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a null pointer dereference in 'StringNGrams'. See CVE-2021-29541.", "transitive": false, "more_info_path": "/v/40700/f17", "id": "pyup.io-40700", "type": "cve", "cve": "CVE-2021-29541"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4", ">=2.7.0rc0,<2.7.0"], "advisory": "Tensorflow version 2.3.4, 2.4.3, 2.5.1, 2.6.0 and 2.7.0 include a fix for CVE-2021-37678:\r\nIn affected versions, TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The implementation(https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/python/keras/saving/model_config.py#L66-L104) uses \"yaml.unsafe_load\" which can perform arbitrary code execution on the input. Given that YAML format support requires a significant amount of work, the Tensorflow team has removed it for now. The Tensorflow team has patched the issue in GitHub commit 23d6383eb6c14084a8fc3bdf164043b974818012.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-r6jx-9g48-2r5r\r\nhttps://github.com/tensorflow/tensorflow/commit/23d6383eb6c14084a8fc3bdf164043b974818012", "transitive": false, "more_info_path": "/v/41153/f17", "id": "pyup.io-41153", "type": "cve", "cve": "CVE-2021-37678"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix a division by 0 in 'Conv2DBackpropInput'. See CVE-2021-29525.", "transitive": false, "more_info_path": "/v/40684/f17", "id": "pyup.io-40684", "type": "cve", "cve": "CVE-2021-29525"}, {"specs": ["<=1.7"], "advisory": "Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code (local). See CVE-2018-8825.", "transitive": false, "more_info_path": "/v/40791/f17", "id": "pyup.io-40791", "type": "cve", "cve": "CVE-2018-8825"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a stack overflow due to looping TFLite subgraph. See CVE-2021-29591.", "transitive": false, "more_info_path": "/v/40745/f17", "id": "pyup.io-40745", "type": "cve", "cve": "CVE-2021-29591"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix a reference binding to null pointer in 'MatrixDiag*' ops. See CVE-2021-29515.", "transitive": false, "more_info_path": "/v/40673/f17", "id": "pyup.io-40673", "type": "cve", "cve": "CVE-2021-29515"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37655: TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a read from outside of bounds of heap allocated data by sending invalid arguments to 'tf.raw_ops.ResourceScatterUpdate'. The implementation (https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/resource_variable_ops.cc#L919-L923) has an incomplete validation of the relationship between the shapes of 'indices' and 'updates': instead of checking that the shape of 'indices' is a prefix of the shape of 'updates' (so that broadcasting can happen), code only checks that the number of elements in these two tensors are in a divisibility relationship. The Tensorflow team has patched the issue in GitHub commit 01cff3f986259d661103412a20745928c727326f.", "transitive": false, "more_info_path": "/v/41130/f17", "id": "pyup.io-41130", "type": "cve", "cve": "CVE-2021-37655"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.1.0rc0,<2.1.4", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by 0 in 'Conv2D'. See CVE-2021-29526.", "transitive": false, "more_info_path": "/v/40685/f17", "id": "pyup.io-40685", "type": "cve", "cve": "CVE-2021-29526"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29216: Code injection in 'saved_model_cli'.", "transitive": false, "more_info_path": "/v/48629/f17", "id": "pyup.io-48629", "type": "cve", "cve": "CVE-2022-29216"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35937: OOB read in 'Gather_nd' op in TF Lite.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-pxrw-j2fv-hx3h", "transitive": false, "more_info_path": "/v/51049/f17", "id": "pyup.io-51049", "type": "cve", "cve": "CVE-2022-35937"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix fixes a heap OOB read in TFLite. See CVE-2021-29606.", "transitive": false, "more_info_path": "/v/40759/f17", "id": "pyup.io-40759", "type": "cve", "cve": "CVE-2021-29606"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35939: OOB write in 'scatter_nd' op in TF Lite.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-ffjm-4qwc-7cmf", "transitive": false, "more_info_path": "/v/51051/f17", "id": "pyup.io-51051", "type": "cve", "cve": "CVE-2022-35939"}, {"specs": ["<2.5.3", ">=2.6.0rc0,<2.6.3", ">=2.7.0rc0,<2.7.1"], "advisory": "Tensorflow versions 2.5.3, 2.6.3 and 2.7.1 include a fix for CVE-2021-41206: In affected versions, several TensorFlow operations are missing validation for the shapes of the tensor arguments involved in the call. Depending on the API, this can result in undefined behavior and segfault or 'CHECK'-fail related crashes but in some scenarios writes and reads from heap populated arrays are also possible. These issues were discovered internally via tooling while working on improving/testing GPU op determinism. As such, there aren't reproducers and there will be multiple fixes for these issues.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-pgcq-h79j-2f69\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-43q8-3fv7-pr5x", "transitive": false, "more_info_path": "/v/42453/f17", "id": "pyup.io-42453", "type": "cve", "cve": "CVE-2021-41206"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29585: The TFLite computation for size of output after padding, `ComputeOutSize`(https://github.com/tensorflow/tensorflow/blob/0c9692ae7b1671c983569e5d3de5565843d500cf/tensorflow/lite/kernels/padding.h#L43-L55), does not check that the `stride` argument is not 0 before doing the division. Users can craft special models such that `ComputeOutSize` is called with `stride` set to 0.", "transitive": false, "more_info_path": "/v/40738/f17", "id": "pyup.io-40738", "type": "cve", "cve": "CVE-2021-29585"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix vulnerabilities caused by incomplete validation in 'SparseSparseMinimum'. See CVE-2021-29607.", "transitive": false, "more_info_path": "/v/40762/f17", "id": "pyup.io-40762", "type": "cve", "cve": "CVE-2021-29607"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29556: An attacker can cause a denial of service via a FPE runtime error in `tf.raw_ops.Reverse`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/36229ea9e9451dac14a8b1f4711c435a1d84a594/tensorflow/core/kernels/reverse_op.cc#L75-L76) performs a division based on the first dimension of the tensor argument.", "transitive": false, "more_info_path": "/v/40714/f17", "id": "pyup.io-40714", "type": "cve", "cve": "CVE-2021-29556"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0a0,<2.1.2", ">=2.2.0a0,<2.2.1", ">=2.3.0a0,<2.3.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, and 2.3.1 include a fix for CVE-2020-15204: In eager mode, TensorFlow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 does not set the session state. Hence, calling \"tf.raw_ops.GetSessionHandle\" or \"tf.raw_ops.GetSessionHandleV2\" results in a null pointer dereference In linked snippet, in eager mode, \"ctx->session_state()\" returns \"nullptr\". Since code immediately dereferences this, we get a segmentation fault. The issue was patched in commit 9a133d73ae4b4664d22bd1aa6d654fec13c52ee1", "transitive": false, "more_info_path": "/v/39941/f17", "id": "pyup.io-39941", "type": "cve", "cve": "CVE-2020-15204"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23568: The implementation of 'AddManySparseToTensorsMap' is vulnerable to an integer overflow which results in a 'CHECK'-fail when building new 'TensorShape' objects (so, an assert failure based denial of service). There are missing some validation on the shapes of the input tensors as well as directly constructing a large 'TensorShape' with user-provided dimensions.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-6445-fm66-fvq2", "transitive": false, "more_info_path": "/v/44795/f17", "id": "pyup.io-44795", "type": "cve", "cve": "CVE-2022-23568"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4"], "advisory": "Tensorflow version 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37672:\r\nIn affected versions, an attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to \"tf.raw_ops.SdcaOptimizerV2\". The implementation (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/sdca_internal.cc#L320-L353) does not check that the length of \"example_labels\" is the same as the number of examples. The Tensorflow team has patched the issue in GitHub commit a4e138660270e7599793fa438cd7b2fc2ce215a6.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-5hj3-vjjf-f5m7\r\nhttps://github.com/tensorflow/tensorflow/commit/a4e138660270e7599793fa438cd7b2fc2ce215a6", "transitive": false, "more_info_path": "/v/41147/f17", "id": "pyup.io-41147", "type": "cve", "cve": "CVE-2021-37672"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 update its dependency 'curl' to v7.78.0 to handle CVE-2021-22922.", "transitive": true, "more_info_path": "/v/43613/f17", "id": "pyup.io-43613", "type": "cve", "cve": "CVE-2021-22922"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29200: Missing validation which causes denial of service via 'LSTMBlockCell'.", "transitive": false, "more_info_path": "/v/48641/f17", "id": "pyup.io-48641", "type": "cve", "cve": "CVE-2022-29200"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "TensorFlow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41227: In affected versions, the 'ImmutableConst' operation in TensorFlow can be tricked into reading arbitrary memory contents. This is because the 'tstring' TensorFlow string class has a special case for memory mapped strings but the operation itself does not offer any support for this datatype. The fix is also included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-j8c8-67vp-6mx7\r\nhttps://github.com/tensorflow/tensorflow/commit/1cb6bb6c2a6019417c9adaf9e6843ba75ee2580b\r\nhttps://github.com/tensorflow/tensorflow/commit/3712a2d3455e6ccb924daa5724a3652a86f6b585", "transitive": false, "more_info_path": "/v/42474/f17", "id": "pyup.io-42474", "type": "cve", "cve": "CVE-2021-41227"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix vulnerabilities caused by incomplete validation in 'SparseAdd'. See CVE-2021-29609.", "transitive": false, "more_info_path": "/v/40761/f17", "id": "pyup.io-40761", "type": "cve", "cve": "CVE-2021-29609"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29616: The implementation of TrySimplify (https://github.com/tensorflow/tensorflow/blob/c22d88d6ff33031aa113e48aa3fc9aa74ed79595/tensorflow/core/grappler/optimizers/arithmetic_optimizer.cc#L390-L401) has undefined behavior due to dereferencing a null pointer in corner cases that result in optimizing a node with no inputs.", "transitive": false, "more_info_path": "/v/40768/f17", "id": "pyup.io-40768", "type": "cve", "cve": "CVE-2021-29616"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41218: In affected versions, the shape inference code for 'AllToAll' can be made to execute a division by 0. This occurs whenever the 'split_count' argument is 0. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-9crf-c6qr-r273\r\nhttps://github.com/tensorflow/tensorflow/commit/a8ad3e5e79c75f36edb81e0ba3f3c0c5442aeddc", "transitive": false, "more_info_path": "/v/42465/f17", "id": "pyup.io-42465", "type": "cve", "cve": "CVE-2021-41218"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29198: Missing validation which causes denial of service via 'SparseTensorToCSRSparseMatrix'.", "transitive": false, "more_info_path": "/v/48640/f17", "id": "pyup.io-48640", "type": "cve", "cve": "CVE-2022-29198"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4"], "advisory": "Tensorflow version 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37670:\r\nIn affected versions, an attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to \"tf.raw_ops.UpperBound\". The implementation (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/searchsorted_op.cc#L85-L104) does not validate the rank of \"sorted_input\" argument. A similar issue occurs in \"tf.raw_ops.LowerBound\". The Tensorflow team has patched the issue in GitHub commit 42459e4273c2e47a3232cc16c4f4fff3b3a35c38.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-9697-98pf-4rw7\r\nhttps://github.com/tensorflow/tensorflow/commit/42459e4273c2e47a3232cc16c4f4fff3b3a35c38", "transitive": false, "more_info_path": "/v/41145/f17", "id": "pyup.io-41145", "type": "cve", "cve": "CVE-2021-37670"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29583: The implementation of 'tf.raw_ops.FusedBatchNorm' is vulnerable to a heap buffer overflow. If the tensors are empty, the same implementation can trigger undefined behavior by dereferencing null pointers. The implementation(https://github.com/tensorflow/tensorflow/blob/57d86e0db5d1365f19adcce848dfc1bf89fdd4c7/tensorflow/core/kernels/fused_batch_norm_op.cc) fails to validate that 'scale', 'offset', 'mean' and 'variance' (the last two only when required) all have the same number of elements as the number of channels of 'x'. This results in heap out of bounds reads when the buffers backing these tensors are indexed past their boundary. If the tensors are empty, the validation mentioned in the above paragraph would also trigger and prevent the undefined behavior.", "transitive": false, "more_info_path": "/v/40737/f17", "id": "pyup.io-40737", "type": "cve", "cve": "CVE-2021-29583"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2", ">=2.2.0rc0,<2.2.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29536: An attacker can cause a heap buffer overflow in 'QuantizedReshape' by passing in invalid thresholds for the quantization. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/a324ac84e573fba362a5e53d4e74d5de6729933e/tensorflow/core/kernels/quantized_reshape_op.cc#L38-L55) assumes that the 2 arguments are always valid scalars and tries to access the numeric value directly. However, if any of these tensors is empty, then '.flat<T>()' is an empty buffer and accessing the element at position 0 results in overflow.", "transitive": false, "more_info_path": "/v/40696/f17", "id": "pyup.io-40696", "type": "cve", "cve": "CVE-2021-29536"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.4.0rc0,<2.4.2", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29543: An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.CTCGreedyDecoder`. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/1615440b17b364b875eb06f43d087381f1460a65/tensorflow/core/kernels/ctc_decoder_ops.cc#L37-L50) has a `CHECK_LT` inserted to validate some invariants. When this condition is false, the program aborts, instead of returning a valid error to the user. This abnormal termination can be weaponized in denial of service attacks.", "transitive": false, "more_info_path": "/v/40702/f17", "id": "pyup.io-40702", "type": "cve", "cve": "CVE-2021-29543"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35960: 'CHECK' failure in 'TensorListReserve' via missing validation.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-v5xg-3q2c-c2r4", "transitive": false, "more_info_path": "/v/51056/f17", "id": "pyup.io-51056", "type": "cve", "cve": "CVE-2022-35960"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29532: An attacker can force accesses outside the bounds of heap allocated arrays by passing in invalid tensor values to `tf.raw_ops.RaggedCross`. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/efea03b38fb8d3b81762237dc85e579cc5fc6e87/tensorflow/core/kernels/ragged_cross_op.cc#L456-L487) lacks validation for the user supplied arguments. Each of the above branches call a helper function after accessing array elements via a `*_list[next_*]` pattern, followed by incrementing the `next_*` index. However, as there is no validation that the `next_*` values are in the valid range for the corresponding `*_list` arrays, this results in heap OOB reads.", "transitive": false, "more_info_path": "/v/40691/f17", "id": "pyup.io-40691", "type": "cve", "cve": "CVE-2021-29532"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 update its dependency 'curl' to version 7.76.0 to handle CVE-2020-8169.", "transitive": true, "more_info_path": "/v/40772/f17", "id": "pyup.io-40772", "type": "cve", "cve": "CVE-2020-8169"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25673: Versions prior to 2.12.0 and 2.11.1 have a Floating Point Exception in TensorListSplit with XLA. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.", "transitive": false, "more_info_path": "/v/53859/f17", "id": "pyup.io-53859", "type": "cve", "cve": "CVE-2023-25673"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25672: The function 'tf.raw_ops.LookupTableImportV2' cannot handle scalars in the 'values' parameter and gives an NPE. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.", "transitive": false, "more_info_path": "/v/53858/f17", "id": "pyup.io-53858", "type": "cve", "cve": "CVE-2023-25672"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29207: Issues arising from undefined behavior stemming from users supplying invalid resource handles.", "transitive": false, "more_info_path": "/v/48643/f17", "id": "pyup.io-48643", "type": "cve", "cve": "CVE-2022-29207"}, {"specs": ["<1.7.1"], "advisory": "Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory. See CVE-2018-7577.", "transitive": false, "more_info_path": "/v/40790/f17", "id": "pyup.io-40790", "type": "cve", "cve": "CVE-2018-7577"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0a0,<2.1.2", ">=2.2.0a0,<2.2.1", ">=2.3.0a0,<2.3.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 include a fix for CVE-2020-15195: In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the implementation of 'SparseFillEmptyRowsGrad' uses a double indexing pattern. It is possible for 'reverse_index_map(i)' to be an index outside of bounds of 'grad_values', thus resulting in a heap buffer overflow.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-63xm-rx5p-xvqr", "transitive": false, "more_info_path": "/v/39944/f17", "id": "pyup.io-39944", "type": "cve", "cve": "CVE-2020-15195"}, {"specs": ["<1.15.5", ">=2.0.0a0,<2.0.4", ">=2.1.0rc0,<2.1.3", ">=2.2.0rc0,<2.2.2", ">=2.3.0rc0,<2.3.2", ">=2.4.0rc0,<2.4.0"], "advisory": "Tensorflow versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2 and 2.4.0 includes a fix for CVE-2020-26271: In affected versions, under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values and comparing these for equality. However, there is no check that the indices point to inside of the arrays they index into. Thus, this can result in accessing data out of bounds of the corresponding heap allocated arrays. In most scenarios, this can manifest as unitialized data access, but if the index points far away from the boundaries of the arrays this can be used to leak addresses from the library.", "transitive": false, "more_info_path": "/v/39719/f17", "id": "pyup.io-39719", "type": "cve", "cve": "CVE-2020-26271"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix a division by 0 in 'Conv2DBackpropFilter'. See CVE-2021-29524.", "transitive": false, "more_info_path": "/v/40683/f17", "id": "pyup.io-40683", "type": "cve", "cve": "CVE-2021-29524"}, {"specs": ["<1.15.3", ">=2.0.0a0,<2.0.2", ">=2.1.0rc0,<2.1.1"], "advisory": "Tensorflow versions 1.15.3, 2.0.2 and 2.1.1 update its dependency \"SQLite3\" to handle CVE-2019-19880.", "transitive": true, "more_info_path": "/v/38460/f17", "id": "pyup.io-38460", "type": "cve", "cve": "CVE-2019-19880"}, {"specs": ["<1.15.5", ">=2.0.0a0,<2.0.4", ">=2.1.0rc0,<2.1.3", ">=2.2.0rc0,<2.2.2", ">=2.3.0rc0,<2.3.2"], "advisory": "Tensorflow versions 2.3.2, 2.2.2, 2.1.3, 2.0.4 and 1.15.5 update its dependency \"PCRE\" to fix CVE-2019-20838.", "transitive": true, "more_info_path": "/v/39406/f17", "id": "pyup.io-39406", "type": "cve", "cve": "CVE-2019-20838"}, {"specs": [">=2.0.0a0,<2.0.1", "<1.15.2"], "advisory": "Tensorflow versions 1.15.2 and 2.0.1 updates its dependency \"curl\" to handle CVE-2019-5481.", "transitive": true, "more_info_path": "/v/39570/f17", "id": "pyup.io-39570", "type": "cve", "cve": "CVE-2019-5481"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37671: In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in 'tf.raw_ops.Map*' and 'tf.raw_ops.OrderedMap*' operations. The implementation (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/map_stage_op.cc#L222-L248) has a check in place to ensure that 'indices' is in ascending order, but does not check that 'indices' is not empty. The Tensorflow team has patched the issue in GitHub commit 532f5c5a547126c634fefd43bbad1dc6417678ac.", "transitive": false, "more_info_path": "/v/41146/f17", "id": "pyup.io-41146", "type": "cve", "cve": "CVE-2021-37671"}, {"specs": ["<1.15.5", ">=2.0.0a0,<2.0.4", ">=2.1.0rc0,<2.1.3", ">=2.2.0rc0,<2.2.2", ">=2.3.0rc0,<2.3.2"], "advisory": "Tensorflow versions 2.3.2, 2.2.2, 2.1.3, 2.0.4 and 1.15.5 update its dependency 'Junit4' to v4.13.1 to include a security fix.", "transitive": true, "more_info_path": "/v/39724/f17", "id": "pyup.io-39724", "type": "cve", "cve": "CVE-2020-15250"}, {"specs": ["<1.15.5", ">=2.0.0a0,<2.0.4", ">=2.1.0rc0,<2.1.3", ">=2.2.0rc0,<2.2.2", ">=2.3.0rc0,<2.3.2"], "advisory": "Tensorflow versions 1.15.5, 2.0.4, 2.1.3, 2.2.2 and 2.3.2 update its dependency \"PCRE\" to handle CVE-2020-14155.", "transitive": true, "more_info_path": "/v/39725/f17", "id": "pyup.io-39725", "type": "cve", "cve": "CVE-2020-14155"}, {"specs": ["<1.15.3", ">=2.0.0a0,<2.0.2", ">=2.1.0rc0,<2.1.1"], "advisory": "Tensorflow versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"SQLite\" to handle CVE-2019-19645.", "transitive": true, "more_info_path": "/v/39819/f17", "id": "pyup.io-39819", "type": "cve", "cve": "CVE-2019-19645"}, {"specs": ["<1.15.3", ">=2.0.0a0,<2.0.2", ">=2.1.0rc0,<2.1.1"], "advisory": "Tensorflow versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"libjpeg-turbo\" to handle CVE-2018-19664.", "transitive": true, "more_info_path": "/v/39821/f17", "id": "pyup.io-39821", "type": "cve", "cve": "CVE-2018-19664"}, {"specs": ["<1.15.3", ">=2.0.0a0,<2.0.2", ">=2.1.0rc0,<2.1.1"], "advisory": "Tensorflow versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"libjpeg-turbo\" to handle CVE-2018-20330.", "transitive": true, "more_info_path": "/v/39822/f17", "id": "pyup.io-39822", "type": "cve", "cve": "CVE-2018-20330"}, {"specs": ["<1.15.3", ">=2.0.0a0,<2.0.2", ">=2.1.0rc0,<2.1.1"], "advisory": "Tensorflow versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"libjpeg-turbo\" to handle CVE-2019-13960.", "transitive": true, "more_info_path": "/v/39823/f17", "id": "pyup.io-39823", "type": "cve", "cve": "CVE-2019-13960"}, {"specs": ["<1.15.3", ">=2.0.0a0,<2.0.2", ">=2.1.0rc0,<2.1.1"], "advisory": "Tensorflow versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"Apache Spark\" to handle CVE-2018-17190.", "transitive": true, "more_info_path": "/v/39825/f17", "id": "pyup.io-39825", "type": "cve", "cve": "CVE-2018-17190"}, {"specs": ["<1.15.3", ">=2.0.0a0,<2.0.2", ">=2.1.0rc0,<2.1.1"], "advisory": "Tensorflow versions 1.15.3, 2.0.2 and 2.1.1 update its dependency \"Apache Spark\" to handle CVE-2018-11770.", "transitive": true, "more_info_path": "/v/39826/f17", "id": "pyup.io-39826", "type": "cve", "cve": "CVE-2018-11770"}, {"specs": [">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow version 2.8.0 includes a fix for CVE-2022-23592: TensorFlow's type inference can cause a heap out of bounds read as the bounds checking is done in a 'DCHECK' (which is a no-op during production). An attacker can control the 'input_idx' variable such that 'ix' would be larger than the number of values in 'node_t.args'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-vq36-27g6-p492", "transitive": false, "more_info_path": "/v/44877/f17", "id": "pyup.io-44877", "type": "cve", "cve": "CVE-2022-23592"}, {"specs": [">=1.15.0rc0,<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0rc0,<2.1.2", ">=2.2.0rc0,<2.2.1", ">=2.3.0rc0,<2.3.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, and 2.3.1 updates its dependency \"SQLite\" to handle CVE-2020-15358.", "transitive": true, "more_info_path": "/v/39873/f17", "id": "pyup.io-39873", "type": "cve", "cve": "CVE-2020-15358"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0rc0,<2.1.2", ">=2.2.0rc0,<2.2.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2 and 2.2.1 updates its dependency \"SQLite\" to handle CVE-2020-13871.", "transitive": true, "more_info_path": "/v/39899/f17", "id": "pyup.io-39899", "type": "cve", "cve": "CVE-2020-13871"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0rc0,<2.1.2", ">=2.2.0rc0,<2.2.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2 and 2.2.1 updates its dependency \"SQLite\" to handle CVE-2020-13630.", "transitive": true, "more_info_path": "/v/39901/f17", "id": "pyup.io-39901", "type": "cve", "cve": "CVE-2020-13630"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25676: When running versions prior to 2.12.0 and 2.11.1 with XLA, 'tf.raw_ops.ParallelConcat' segfaults with a nullptr dereference when given a parameter 'shape' with rank that is not greater than zero.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-6wfh-89q8-44jq", "transitive": false, "more_info_path": "/v/53862/f17", "id": "pyup.io-53862", "type": "cve", "cve": "CVE-2023-25676"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0rc0,<2.1.2", ">=2.2.0rc0,<2.2.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2 and 2.2.1 updates its dependency \"SQLite\" to handle CVE-2020-13434.", "transitive": true, "more_info_path": "/v/39903/f17", "id": "pyup.io-39903", "type": "cve", "cve": "CVE-2020-13434"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0rc0,<2.1.2", ">=2.2.0rc0,<2.2.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2 and 2.2.1 update its dependency \"SQLite\" to handle CVE-2020-9327.", "transitive": true, "more_info_path": "/v/39906/f17", "id": "pyup.io-39906", "type": "cve", "cve": "CVE-2020-9327"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0rc0,<2.1.2", ">=2.2.0rc0,<2.2.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2 and 2.2.1 update its dependency \"SQLite\" to handle CVE-2020-11655.", "transitive": true, "more_info_path": "/v/39932/f17", "id": "pyup.io-39932", "type": "cve", "cve": "CVE-2020-11655"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25666: Prior to versions 2.12.0 and 2.11.1, there is a floating point exception in AudioSpectrogram. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-f637-vh3r-vfh2", "transitive": false, "more_info_path": "/v/53852/f17", "id": "pyup.io-53852", "type": "cve", "cve": "CVE-2023-25666"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4"], "advisory": "Tensorflow version 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37679:\r\nIn affected versions it is possible to nest a \"tf.map_fn\" within another \"tf.map_fn\" call. However, if the input tensor is a \"RaggedTensor\" and there is no function signature provided, code assumes the output is a fully specified tensor and fills output buffer with uninitialized contents from the heap. The \"t\" and \"z\" outputs should be identical, however this is not the case. The last row of \"t\" contains data from the heap which can be used to leak other memory information. The bug lies in the conversion from a \"Variant\" tensor to a \"RaggedTensor\". The implementation (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/ragged_tensor_from_variant_op.cc#L177-L190) does not check that all inner shapes match and this results in the additional dimensions. The same implementation can result in data loss, if input tensor is tweaked. The Tensorflow team has patched the issue in GitHub commit 4e2565483d0ffcadc719bd44893fb7f609bb5f12.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-g8wg-cjwc-xhhp\r\nhttps://github.com/tensorflow/tensorflow/commit/4e2565483d0ffcadc719bd44893fb7f609bb5f12", "transitive": false, "more_info_path": "/v/41154/f17", "id": "pyup.io-41154", "type": "cve", "cve": "CVE-2021-37679"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 update its dependency \"curl\" to v7.76.0 to include security fixes.", "transitive": true, "more_info_path": "/v/40774/f17", "id": "pyup.io-40774", "type": "cve", "cve": "CVE-2020-8231"}, {"specs": ["<1.15.5", ">=2.0.0a0,<2.0.4", ">=2.1.0rc0,<2.1.3", ">=2.2.0rc0,<2.2.2", ">=2.3.0rc0,<2.3.2", ">=2.4.0rc0,<2.4.0"], "advisory": "Tensorflow versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2 and 2.4.0 includes a fix for CVE-2020-26267: In affected versions, the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes.", "transitive": false, "more_info_path": "/v/39722/f17", "id": "pyup.io-39722", "type": "cve", "cve": "CVE-2020-26267"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4"], "advisory": "Tensorflow 2.3.4, 2.4.3, 2.5.1, and 2.6.0 updates its dependency 'curl' to v7.77.0 to include security fixes.", "transitive": true, "more_info_path": "/v/41104/f17", "id": "pyup.io-41104", "type": "cve", "cve": "CVE-2021-22901"}, {"specs": [">=2.6.0a1,<2.6.0", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4"], "advisory": "Tensorflow versions 2.3.4, 2.4.3, 2.5.1, and 2.6.0 update its dependency \"curl\" to include a fix for CVE-2021-22898", "transitive": true, "more_info_path": "/v/41105/f17", "id": "pyup.io-41105", "type": "cve", "cve": "CVE-2021-22898"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4"], "advisory": "Tensorflow 2.3.4, 2.4.3, 2.5.1, and 2.6.0 updates its dependency 'curl' to v7.77.0 to include security fixes.", "transitive": true, "more_info_path": "/v/41106/f17", "id": "pyup.io-41106", "type": "cve", "cve": "CVE-2021-22897"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4"], "advisory": "Tensorflow 2.3.4, 2.4.3, 2.5.1, and 2.6.0 updates its dependency 'curl' to v7.77.0 to include security fixes.", "transitive": true, "more_info_path": "/v/41107/f17", "id": "pyup.io-41107", "type": "cve", "cve": "CVE-2021-22876"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29208: Segfault and OOB write due to incomplete validation in 'EditDistance'.", "transitive": false, "more_info_path": "/v/48649/f17", "id": "pyup.io-48649", "type": "cve", "cve": "CVE-2022-29208"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25667: Prior to versions 2.12.0 and 2.11.1, integer overflow occurs when '2^31 <= num_frames * height * width * channels < 2^32', for example Full HD screencast of at least 346 frames.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-fqm2-gh8w-gr68", "transitive": false, "more_info_path": "/v/53853/f17", "id": "pyup.io-53853", "type": "cve", "cve": "CVE-2023-25667"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29195: Missing validation which causes denial of service via 'StagePeek'.", "transitive": false, "more_info_path": "/v/48637/f17", "id": "pyup.io-48637", "type": "cve", "cve": "CVE-2022-29195"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21728: The implementation of shape inference for 'ReverseSequence' does not fully validate the value of 'batch_dim' and can result in a heap OOB read. There is a check to make sure the value of 'batch_dim' does not go over the rank of the input, but there is no check for negative values. Negative dimensions are allowed in some cases to mimic Python's negative indexing (i.e., indexing from the end of the array), however if the value is too negative then the implementation of 'Dim' would access elements before the start of an array.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-6gmv-pjp9-p8w8", "transitive": false, "more_info_path": "/v/44780/f17", "id": "pyup.io-44780", "type": "cve", "cve": "CVE-2022-21728"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 update 'curl' to '7.76.0' to handle CVE-2020-8177.", "transitive": true, "more_info_path": "/v/40773/f17", "id": "pyup.io-40773", "type": "cve", "cve": "CVE-2020-8177"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37638: Sending invalid argument for 'row_partition_types' of 'tf.raw_ops.RaggedTensorToTensor' API results in a null pointer dereference and undefined behavior. The implementation (https://github.com/tensorflow/tensorflow/blob/47a06f40411a69c99f381495f490536972152ac0/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L328) accesses the first element of a user supplied list of values without validating that the provided list is not empty. The Tensorflow team has patched the issue in GitHub commit 301ae88b331d37a2a16159b65b255f4f9eb39314.", "transitive": false, "more_info_path": "/v/41113/f17", "id": "pyup.io-41113", "type": "cve", "cve": "CVE-2021-37638"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41901: An input 'sparse_matrix' that is not a matrix with a shape with rank 0 will trigger a 'CHECK' fail in 'tf.raw_ops.SparseMatrixNNZ'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-g9fm-r5mm-rf9f", "transitive": false, "more_info_path": "/v/51959/f17", "id": "pyup.io-51959", "type": "cve", "cve": "CVE-2022-41901"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37654: In affected versions an attacker can trigger a crash via a 'CHECK'-fail in debug builds of TensorFlow using 'tf.raw_ops.ResourceGather' or a read from outside the bounds of heap allocated data in the same API in a release build. The implementation (https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/resource_variable_ops.cc#L660-L668) does not check that the 'batch_dims' value that the user supplies is less than the rank of the input tensor. Since the implementation uses several for loops over the dimensions of 'tensor', this results in reading data from outside the bounds of heap allocated buffer backing the tensor. The Tensorflow team has patched the issue in GitHub commit bc9c546ce7015c57c2f15c168b3d9201de679a1d.", "transitive": false, "more_info_path": "/v/41129/f17", "id": "pyup.io-41129", "type": "cve", "cve": "CVE-2021-37654"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 updates 'curl' to '7.76.0' to handle CVE-2020-8286: curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.", "transitive": true, "more_info_path": "/v/40777/f17", "id": "pyup.io-40777", "type": "cve", "cve": "CVE-2020-8286"}, {"specs": [">=2.2.0rc0,<2.2.1", ">=2.3.0rc0,<2.3.1"], "advisory": "Tensorflow versions 2.2.1 and 2.3.1 include a fix for CVE-2020-15191: In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes an invalid argument to 'dlpack.to_dlpack' the expected validations will cause variables to bind to 'nullptr' while setting a 'status' variable to the error condition. However, this 'status' argument is not properly checked. Hence, code following these methods will bind references to null pointers. This is undefined behavior and reported as an error if compiling with '-fsanitize=null'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-q8qj-fc9q-cphr", "transitive": false, "more_info_path": "/v/39872/f17", "id": "pyup.io-39872", "type": "cve", "cve": "CVE-2020-15191"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of 'BatchToSpaceNd'. See CVE-2021-29593.", "transitive": false, "more_info_path": "/v/40749/f17", "id": "pyup.io-40749", "type": "cve", "cve": "CVE-2021-29593"}, {"specs": [">=2.4.0rc0,<2.4.0"], "advisory": "TensorFlow 2.4.0 includes a fix for CVE-2020-26269: In TensorFlow release candidate versions 2.4.0rc*, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel implementation of GetMatchingPaths but are not verified by the PRs introducing it (#40861 and #44310). Thus, we are completely rewriting the implementation to fully specify and validate these. This is patched in version 2.4.0. This issue only impacts master branch and the release candidates for TF version 2.4. The final release of the 2.4 release will be patched.", "transitive": false, "more_info_path": "/v/40796/f17", "id": "pyup.io-40796", "type": "cve", "cve": "CVE-2020-26269"}, {"specs": ["<1.15.5", ">=2.0.0a0,<2.0.4", ">=2.1.0rc0,<2.1.3", ">=2.2.0rc0,<2.2.2", ">=2.3.0rc0,<2.3.2", ">=2.4.0rc0,<2.4.0"], "advisory": "TensorFlow versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0 includes a fix for CVE-2020-26266: In affected versions and under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen.", "transitive": false, "more_info_path": "/v/39408/f17", "id": "pyup.io-39408", "type": "cve", "cve": "CVE-2020-26266"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29194: Missing validation which causes denial of service via 'DeleteSessionTensor'.", "transitive": false, "more_info_path": "/v/48635/f17", "id": "pyup.io-48635", "type": "cve", "cve": "CVE-2022-29194"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow versions 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 update its dependency \"curl\" to handle CVE-2020-8284.", "transitive": true, "more_info_path": "/v/40775/f17", "id": "pyup.io-40775", "type": "cve", "cve": "CVE-2020-8284"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41895: If 'MirrorPadGrad' is given outsize input 'paddings', TensorFlow will give a heap OOB error.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-gq2j-cr96-gvqx", "transitive": false, "more_info_path": "/v/51953/f17", "id": "pyup.io-51953", "type": "cve", "cve": "CVE-2022-41895"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of 'TransposeConv'. See CVE-2021-29588.", "transitive": false, "more_info_path": "/v/40742/f17", "id": "pyup.io-40742", "type": "cve", "cve": "CVE-2021-29588"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29540: TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow to occur in 'Conv2DBackpropFilter'. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd948f924aa8cd62f87dbb7c3da/tensorflow/core/kernels/conv_grad_filter_ops.cc#L495-L497) computes the size of the filter tensor but does not validate that it matches the number of elements in 'filter_sizes'. Later, when reading/writing to this buffer, code uses the value computed here, instead of the number of elements in the tensor.", "transitive": false, "more_info_path": "/v/40698/f17", "id": "pyup.io-40698", "type": "cve", "cve": "CVE-2021-29540"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37651: In affected versions the implementation for 'tf.raw_ops.FractionalAvgPoolGrad' can be tricked into accessing data outside of bounds of heap allocated buffers. The implementation (https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/fractional_avg_pool_op.cc#L205) does not validate that the input tensor is non-empty. Thus, code constructs an empty 'EigenDoubleMatrixMap' and then accesses this buffer with indices that are outside of the empty area. The Tensorflow team has patched the issue in GitHub commit 0f931751fb20f565c4e94aa6df58d54a003cdb30.", "transitive": false, "more_info_path": "/v/41126/f17", "id": "pyup.io-41126", "type": "cve", "cve": "CVE-2021-37651"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41891: If 'tf.raw_ops.TensorListConcat' is given 'element_shape=[]', it results segmentation fault which can be used to trigger a denial of service attack.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-66vq-54fq-6jvv", "transitive": false, "more_info_path": "/v/51950/f17", "id": "pyup.io-51950", "type": "cve", "cve": "CVE-2022-41891"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27781.", "transitive": true, "more_info_path": "/v/48662/f17", "id": "pyup.io-48662", "type": "cve", "cve": "CVE-2022-27781"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41911: When printing a tensor, we get it's data as a 'const char*' array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from 'char' to 'bool' are undefined if the 'char' is not '0' or '1', so sanitizers/fuzzers will crash.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-pf36-r9c6-h97j", "transitive": false, "more_info_path": "/v/51963/f17", "id": "pyup.io-51963", "type": "cve", "cve": "CVE-2022-41911"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41889: If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a 'nullptr', which is not caught. An example can be seen in 'tf.compat.v1.extract_volume_patches' by passing in quantized tensors as input 'ksizes'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-xxcj-rhqg-m46g", "transitive": false, "more_info_path": "/v/51948/f17", "id": "pyup.io-51948", "type": "cve", "cve": "CVE-2022-41889"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25674: Versions prior to 2.12.0 and 2.11.1 have a null pointer error in RandomShuffle with XLA enabled.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-gf97-q72m-7579", "transitive": false, "more_info_path": "/v/53860/f17", "id": "pyup.io-53860", "type": "cve", "cve": "CVE-2023-25674"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23563: In multiple places, TensorFlow uses 'tempfile.mktemp' to create temporary files. While this is acceptable in testing, in utilities and libraries it is dangerous as a different process can create the file between the check for the filename in 'mktemp' and the actual creation of the file by a subsequent operation (a TOC/TOU type of weakness). In several instances, TensorFlow was supposed to actually create a temporary directory instead of a file. This logic bug is hidden away by the 'mktemp' function usage. It was replaced 'mktemp' with the safer 'mkstemp'/'mkdtemp' functions, according to the usage pattern.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-wc4g-r73w-x8mm", "transitive": false, "more_info_path": "/v/44851/f17", "id": "pyup.io-44851", "type": "cve", "cve": "CVE-2022-23563"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-30115.", "transitive": true, "more_info_path": "/v/48664/f17", "id": "pyup.io-48664", "type": "cve", "cve": "CVE-2022-30115"}, {"specs": ["<1.15.5", ">=2.0.0a0,<2.0.4", ">=2.1.0rc0,<2.1.3", ">=2.2.0rc0,<2.2.2", ">=2.3.0rc0,<2.3.2"], "advisory": "Tensorflow versions 2.3.2, 2.2.2, 2.1.3, 2.0.4 and 1.15.5 updates its dependency \"Libjpeg-turbo\" to handle CVE-2020-13790.", "transitive": true, "more_info_path": "/v/39726/f17", "id": "pyup.io-39726", "type": "cve", "cve": "CVE-2020-13790"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by 0 in 'SparseMatMul'. See CVE-2021-29557.", "transitive": false, "more_info_path": "/v/40713/f17", "id": "pyup.io-40713", "type": "cve", "cve": "CVE-2021-29557"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix a 'CHECK'-fail in 'AddManySparseToTensorsMap'. See CVE-2021-29523.", "transitive": false, "more_info_path": "/v/40682/f17", "id": "pyup.io-40682", "type": "cve", "cve": "CVE-2021-29523"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap buffer overflow in 'MaxPoolGrad'. See CVE-2021-29579.", "transitive": false, "more_info_path": "/v/40733/f17", "id": "pyup.io-40733", "type": "cve", "cve": "CVE-2021-29579"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2021-41197: Affected versions allow tensors to have a large number of dimensions and each dimension can be as large as desired. However, the total number of elements in a tensor must fit within an 'int64_t'. If an overflow occurs, 'MultiplyWithoutOverflow' would return a negative result. In the majority of TensorFlow codebase this then results in a 'CHECK'-failure. Newer constructs exist which return a 'Status' instead of crashing the binary. This is similar to CVE-2021-29584.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-prcg-wp5q-rv7p\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-wcv5-vrvr-3rx2\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-mw6j-hh29-h379", "transitive": false, "more_info_path": "/v/42444/f17", "id": "pyup.io-42444", "type": "cve", "cve": "CVE-2021-41197"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1"], "advisory": "Tensorflow version 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37668:\r\nIn affected versions, an attacker can cause denial of service in applications serving models using \"tf.raw_ops.UnravelIndex\" by triggering a division by 0. The implementation (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/unravel_index_op.cc#L36) does not check that the tensor subsumed by \"dims\" is not empty. Hence, if one element of \"dims\" is 0, the implementation does a division by 0. The Tensorflow team has patched the issue in GitHub commit a776040a5e7ebf76eeb7eb923bf1ae417dd4d233.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-2wmv-37vq-52g5\r\nhttps://github.com/tensorflow/tensorflow/commit/a776040a5e7ebf76eeb7eb923bf1ae417dd4d233", "transitive": false, "more_info_path": "/v/41143/f17", "id": "pyup.io-41143", "type": "cve", "cve": "CVE-2021-37668"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1", ">=2.11.0rc0,<2.11.0"], "advisory": "TensorFlow 2.8.4, 2.9.3, 2.10.1 and 2.11.0 include a fix for CVE-2022-35991: 'CHECK' fail in 'TensorListScatter' and 'TensorListScatterV2'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-vm7x-4qhj-rrcq\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-xf83-q765-xm6m", "transitive": false, "more_info_path": "/v/51080/f17", "id": "pyup.io-51080", "type": "cve", "cve": "CVE-2022-35991"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29535: An attacker can cause a heap buffer overflow in 'QuantizedMul' by passing in invalid thresholds for the quantization. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/87cf4d3ea9949051e50ca3f071fc909538a51cd0/tensorflow/core/kernels/quantized_mul_op.cc#L287-L290) assumes that the 4 arguments are always valid scalars and tries to access the numeric value directly. However, if any of these tensors is empty, then '.flat<T>()' is an empty buffer and accessing the element at position 0 results in overflow.", "transitive": false, "more_info_path": "/v/40693/f17", "id": "pyup.io-40693", "type": "cve", "cve": "CVE-2021-29535"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25661: In versions prior to 2.11.1 a malicious invalid input crashes a tensorflow model (Check Failed) and can be used to trigger a denial of service attack. A proof of concept can be constructed with the 'Convolution3DTranspose' function. This Convolution3DTranspose layer is a very common API in modern neural networks. The ML models containing such vulnerable components could be deployed in ML applications or as cloud services. This failure could be potentially used to trigger a denial of service attack on ML cloud services. An attacker must have privilege to provide input to a 'Convolution3DTranspose' call.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-fxgc-95xx-grvq", "transitive": false, "more_info_path": "/v/53903/f17", "id": "pyup.io-53903", "type": "cve", "cve": "CVE-2023-25661"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29552: An attacker can cause a denial of service by controlling the values of `num_segments` tensor argument for `UnsortedSegmentJoin`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/a2a607db15c7cd01d754d37e5448d72a13491bdb/tensorflow/core/kernels/unsorted_segment_join_op.cc#L92-L93) assumes that the `num_segments` tensor is a valid scalar. Since the tensor is empty the `CHECK` involved in `.scalar<T>()()` that checks that the number of elements is exactly 1 will be invalidated and this would result in process termination.", "transitive": false, "more_info_path": "/v/40710/f17", "id": "pyup.io-40710", "type": "cve", "cve": "CVE-2021-29552"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25801: Prior to versions 2.12.0 and 2.11.1, 'nn_ops.fractional_avg_pool_v2' and 'nn_ops.fractional_max_pool_v2' require the first and fourth elements of their parameter 'pooling_ratio' to be equal to 1.0, as pooling on batch and channel dimensions is not supported.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-f49c-87jh-g47q", "transitive": false, "more_info_path": "/v/53863/f17", "id": "pyup.io-53863", "type": "cve", "cve": "CVE-2023-25801"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25675: When running versions prior to 2.12.0 and 2.11.1 with XLA, 'tf.raw_ops.Bincount' segfaults when given a parameter 'weights' that is neither the same shape as parameter 'arr' nor a length-0 tensor.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-7x4v-9gxg-9hwj", "transitive": false, "more_info_path": "/v/53861/f17", "id": "pyup.io-53861", "type": "cve", "cve": "CVE-2023-25675"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'zlib' to v1.2.12 to handle CVE-2018-25032.", "transitive": true, "more_info_path": "/v/48665/f17", "id": "pyup.io-48665", "type": "cve", "cve": "CVE-2018-25032"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap buffer overflow in 'BandedTriangularSolve'. See CVE-2021-29612.", "transitive": false, "more_info_path": "/v/40765/f17", "id": "pyup.io-40765", "type": "cve", "cve": "CVE-2021-29612"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41885: When 'tf.raw_ops.FusedResizeAndPadConv2D' is given a large tensor shape, it overflows.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-762h-vpvw-3rcx", "transitive": false, "more_info_path": "/v/51944/f17", "id": "pyup.io-51944", "type": "cve", "cve": "CVE-2022-41885"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 update 'curl' to v7.83.1 to handle CVE-2022-27774.", "transitive": true, "more_info_path": "/v/48656/f17", "id": "pyup.io-48656", "type": "cve", "cve": "CVE-2022-27774"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21730: The implementation of 'FractionalAvgPoolGrad' does not consider cases where the input tensors are invalid allowing an attacker to read from outside of bounds of heap.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-vjg4-v33c-ggc4", "transitive": false, "more_info_path": "/v/44782/f17", "id": "pyup.io-44782", "type": "cve", "cve": "CVE-2022-21730"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41899: TensorFlow is an open source platform for machine learning. Inputs 'dense_features' or 'example_state_data' not of rank 2 will trigger a 'CHECK' fail in 'SdcaOptimizer'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-27rc-728f-x5w2", "transitive": false, "more_info_path": "/v/51957/f17", "id": "pyup.io-51957", "type": "cve", "cve": "CVE-2022-41899"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37662: In affected versions an attacker can generate undefined behavior via a reference binding to nullptr in 'BoostedTreesCalculateBestGainsPerFeature' and similar attack can occur in 'BoostedTreesCalculateBestFeatureSplitV2'. The implementation (https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/boosted_trees/stats_ops.cc) does not validate the input values. The Tensorflow team has patched the issue in GitHub commit 9c87c32c710d0b5b53dc6fd3bfde4046e1f7a5ad and in commit 429f009d2b2c09028647dd4bb7b3f6f414bbaad7.", "transitive": false, "more_info_path": "/v/41137/f17", "id": "pyup.io-41137", "type": "cve", "cve": "CVE-2021-37662"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a integer overflow in TFLite memory allocation. See CVE-2021-29605.", "transitive": false, "more_info_path": "/v/40757/f17", "id": "pyup.io-40757", "type": "cve", "cve": "CVE-2021-29605"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29203: Integer overflow in 'SpaceToBatchND'.", "transitive": false, "more_info_path": "/v/48648/f17", "id": "pyup.io-48648", "type": "cve", "cve": "CVE-2022-29203"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25665: Prior to versions 2.12.0 and 2.11.1, when 'SparseSparseMaximum' is given invalid sparse tensors as inputs, it can give a null pointer error.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-558h-mq8x-7q9g", "transitive": false, "more_info_path": "/v/53851/f17", "id": "pyup.io-53851", "type": "cve", "cve": "CVE-2023-25665"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21736: The implementation of 'SparseTensorSliceDataset' has an undefined behavior: under certain conditions, it can be made to dereference a 'nullptr' value. The 3 input arguments to 'SparseTensorSliceDataset' represent a sparse tensor. However, there are some preconditions that these arguments must satisfy, but these are not validated in the implementation.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-pfjj-m3jj-9jc9", "transitive": false, "more_info_path": "/v/44788/f17", "id": "pyup.io-44788", "type": "cve", "cve": "CVE-2022-21736"}, {"specs": [">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow 2.8.0 includes a fix for CVE-2022-23593: The 'simplifyBroadcast' function in the MLIR-TFRT infrastructure in TensorFlow is vulnerable to a segfault (hence, denial of service), if called with scalar shapes. If all shapes are scalar, then 'maxRank' is 0, so we build an empty 'SmallVector'. \r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-gwcx-jrx4-92w2", "transitive": false, "more_info_path": "/v/44878/f17", "id": "pyup.io-44878", "type": "cve", "cve": "CVE-2022-23593"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41201: In affected versions, during execution, 'EinsumHelper::ParseEquation()' is supposed to set the flags in 'input_has_ellipsis' vector and '*output_has_ellipsis' boolean to indicate whether there is ellipsis in the corresponding inputs and output. However, the code only changes these flags to 'true' and never assigns 'false'. This results in unitialized variable access if callers assume that 'EinsumHelper::ParseEquation()' always sets these flags. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-j86v-p27c-73fm\r\nhttps://github.com/tensorflow/tensorflow/commit/f09caa532b6e1ac8d2aa61b7832c78c5b79300c6", "transitive": false, "more_info_path": "/v/42448/f17", "id": "pyup.io-42448", "type": "cve", "cve": "CVE-2021-41201"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36017: Segfault in 'Requantize'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-wqmc-pm8c-2jhc", "transitive": false, "more_info_path": "/v/51101/f17", "id": "pyup.io-51101", "type": "cve", "cve": "CVE-2022-36017"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37689: In affected versions an attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service. This is caused by the MLIR optimization of 'L2NormalizeReduceAxis' operator. The implementation (https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/compiler/mlir/lite/transforms/optimize.cc#L67-L70) unconditionally dereferences a pointer to an iterator to a vector without checking that the vector has elements. The Tensorflow team has patched the issue in GitHub commit d6b57f461b39fd1aa8c1b870f1b974aac3554955.", "transitive": false, "more_info_path": "/v/41164/f17", "id": "pyup.io-41164", "type": "cve", "cve": "CVE-2021-37689"}, {"specs": [">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.7.1 and 2.8.0 include a fix for CVE-2022-23590: A 'GraphDef' from a TensorFlow 'SavedModel' can be maliciously altered to cause a TensorFlow process to crash due to encountering a 'StatusOr' value that is an error and forcibly extracting the value from it.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-pqrv-8r2f-7278", "transitive": false, "more_info_path": "/v/44875/f17", "id": "pyup.io-44875", "type": "cve", "cve": "CVE-2022-23590"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0a0,<2.1.2", ">=2.2.0a0,<2.2.1", ">=2.3.0a0,<2.3.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, and 2.3.1 include a fix for CVE-2020-15206: In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, changing the TensorFlow's \"SavedModel\" protocol buffer and altering the name of required keys results in segfaults and data corruption while loading the model. This can cause a denial of service in products using \"tensorflow-serving\" or other inference-as-a-service installments. Fixed were added in commits f760f88b4267d981e13f4b302c437ae800445968 and fcfef195637c6e365577829c4d67681695956e7d. However, this was not enough, as #41097 reported a different failure mode. The issue was finally patched in commit df095206f25471e864a8e63a0f1caef53a0e3a6", "transitive": false, "more_info_path": "/v/39939/f17", "id": "pyup.io-39939", "type": "cve", "cve": "CVE-2020-15206"}, {"specs": ["<1.6.0a1"], "advisory": "Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent. See CVE-2018-7576.", "transitive": false, "more_info_path": "/v/40789/f17", "id": "pyup.io-40789", "type": "cve", "cve": "CVE-2018-7576"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36003: 'CHECK' fail in 'RandomPoissonV2'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-cv2p-32v3-vhwq", "transitive": false, "more_info_path": "/v/51092/f17", "id": "pyup.io-51092", "type": "cve", "cve": "CVE-2022-36003"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36015: Integer overflow in math ops. \r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-rh87-q4vg-m45j", "transitive": false, "more_info_path": "/v/51099/f17", "id": "pyup.io-51099", "type": "cve", "cve": "CVE-2022-36015"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.4.0rc0,<2.4.2", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29551: The implementation of 'MatrixTriangularSolve' (https://github.com/tensorflow/tensorflow/blob/8cae746d8449c7dda5298327353d68613f16e798/tensorflow/core/kernels/linalg/matrix_triangular_solve_op_impl.h#L160-L240) fails to terminate kernel execution if one validation condition fails.", "transitive": false, "more_info_path": "/v/40708/f17", "id": "pyup.io-40708", "type": "cve", "cve": "CVE-2021-29551"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41209: In affected versions, the implementations for convolution operators trigger a division by 0 if passed empty filter tensor arguments. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-6hpv-v2rx-c5g6\r\nhttps://github.com/tensorflow/tensorflow/commit/f2c3931113eaafe9ef558faaddd48e00a6606235", "transitive": false, "more_info_path": "/v/42456/f17", "id": "pyup.io-42456", "type": "cve", "cve": "CVE-2021-41209"}, {"specs": ["<1.7.0a1"], "advisory": "Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow vulnerability. The type of exploitation is context-dependent. See CVE-2018-7575.", "transitive": false, "more_info_path": "/v/40788/f17", "id": "pyup.io-40788", "type": "cve", "cve": "CVE-2018-7575"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23595: When building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference. In the default scenario, all devices are allowed, so 'flr->config_proto' is 'nullptr'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-fpcp-9h7m-ffpx", "transitive": false, "more_info_path": "/v/44880/f17", "id": "pyup.io-44880", "type": "cve", "cve": "CVE-2022-23595"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21741: An attacker can craft a TFLite model that would trigger a division by zero in the implementation of depthwise convolutions. The parameters of the convolution can be user controlled and are also used within a division operation to determine the size of the padding that needs to be added before applying the convolution. There is no check before this division that the divisor is strictly positive.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-428x-9xc2-m8mj", "transitive": false, "more_info_path": "/v/44793/f17", "id": "pyup.io-44793", "type": "cve", "cve": "CVE-2022-21741"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a null pointer dereference in 'EditDistance'. See CVE-2021-29564.", "transitive": false, "more_info_path": "/v/40721/f17", "id": "pyup.io-40721", "type": "cve", "cve": "CVE-2021-29564"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37656: In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in 'tf.raw_ops.RaggedTensorToSparse'. The implementation (https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/ragged_tensor_to_sparse_kernel.cc#L30) has an incomplete validation of the splits values: it does not check that they are in increasing order. The Tensorflow team has patched the issue in GitHub commit 1071f554dbd09f7e101324d366eec5f4fe5a3ece.", "transitive": false, "more_info_path": "/v/41131/f17", "id": "pyup.io-41131", "type": "cve", "cve": "CVE-2021-37656"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35969: 'CHECK' fail in 'Conv2DBackpropInput'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-q2c3-jpmc-gfjx", "transitive": false, "more_info_path": "/v/51063/f17", "id": "pyup.io-51063", "type": "cve", "cve": "CVE-2022-35969"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. When decoding a tensor from protobuf, TensorFlow might do a null-dereference if attributes of some mutable arguments to some operations are missing from the proto. This is guarded by a `DCHECK`. However, `DCHECK` is a no-op in production builds and an assertion failure in debug builds. In the first case execution proceeds to the dereferencing of the null pointer, whereas in the second case it results in a crash due to the assertion failure. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, and TensorFlow 2.6.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44855/f17", "id": "pyup.io-44855", "type": "cve", "cve": "CVE-2022-23570"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21734: The implementation of 'MapStage' is vulnerable to a 'CHECK'-fail if the key tensor is not a scalar.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-gcvh-66ff-4mwm", "transitive": false, "more_info_path": "/v/44786/f17", "id": "pyup.io-44786", "type": "cve", "cve": "CVE-2022-21734"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35934: 'CHECK' failure in tf.reshape via overflows.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-f4w6-h4f5-wx45", "transitive": false, "more_info_path": "/v/51047/f17", "id": "pyup.io-51047", "type": "cve", "cve": "CVE-2022-35934"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36012: Assertion fail on MLIR empty edge names.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-jvhc-5hhr-w3v5", "transitive": false, "more_info_path": "/v/51096/f17", "id": "pyup.io-51096", "type": "cve", "cve": "CVE-2022-36012"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 update its dependency 'curl' to v7.78.0 to handle CVE-2021-22926.", "transitive": true, "more_info_path": "/v/43750/f17", "id": "pyup.io-43750", "type": "cve", "cve": "CVE-2021-22926"}, {"specs": [">=2.0.0a0,<2.0.1", "<1.15.2"], "advisory": "Tensorflow versions 1.15.2 and 2.0.1 updates 'sqlite3' to handle CVE-2019-16168.", "transitive": true, "more_info_path": "/v/39568/f17", "id": "pyup.io-39568", "type": "cve", "cve": "CVE-2019-16168"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. When decoding PNG images TensorFlow can produce a memory leak if the image is invalid. After calling `png::CommonInitDecode(..., &decode)`, the `decode` value contains allocated buffers which can only be freed by calling `png::CommonFreeDecode(&decode)`. However, several error case in the function implementation invoke the `OP_REQUIRES` macro which immediately terminates the execution of the function, without allowing for the memory free to occur. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44870/f17", "id": "pyup.io-44870", "type": "cve", "cve": "CVE-2022-23585"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41223: In affected versions, the implementation of 'FusedBatchNorm' kernels is vulnerable to a heap OOB access. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-f54p-f6jp-4rhr\r\nhttps://github.com/tensorflow/tensorflow/commit/aab9998916c2ffbd8f0592059fad352622f89cda", "transitive": false, "more_info_path": "/v/42470/f17", "id": "pyup.io-42470", "type": "cve", "cve": "CVE-2021-41223"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41893: If 'tf.raw_ops.TensorListResize' is given a nonscalar value for input 'size', it results 'CHECK' fail which can be used to trigger a denial of service attack.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-67pf-62xr-q35m", "transitive": false, "more_info_path": "/v/51951/f17", "id": "pyup.io-51951", "type": "cve", "cve": "CVE-2022-41893"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4"], "advisory": "Tensorflow version 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37673:\r\nIn affected versions, an attacker can trigger a denial of service via a \"CHECK\"-fail in \"tf.raw_ops.MapStage\". The implementation (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/map_stage_op.cc#L513) does not check that the \"key\" input is a valid non-empty tensor. The Tensorflow team has patched the issue in GitHub commit d7de67733925de196ec8863a33445b73f9562d1d.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-278g-rq84-9hmg\r\nhttps://github.com/tensorflow/tensorflow/commit/d7de67733925de196ec8863a33445b73f9562d1d", "transitive": false, "more_info_path": "/v/41148/f17", "id": "pyup.io-41148", "type": "cve", "cve": "CVE-2021-37673"}, {"specs": [">=2.0.0a0,<2.0.1", "<1.15.2"], "advisory": "Tensorflow versions 1.15.2 and 2.0.1 updates its dependency \"curl\" to handle CVE-2019-5482.", "transitive": true, "more_info_path": "/v/38039/f17", "id": "pyup.io-38039", "type": "cve", "cve": "CVE-2019-5482"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41224: In affected versions, the implementation of 'SparseFillEmptyRows' can be made to trigger a heap OOB access. This occurs whenever the size of 'indices' does not match the size of 'values'. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-rg3m-hqc5-344v\r\nhttps://github.com/tensorflow/tensorflow/commit/67bfd9feeecfb3c61d80f0e46d89c170fbee682b", "transitive": false, "more_info_path": "/v/42471/f17", "id": "pyup.io-42471", "type": "cve", "cve": "CVE-2021-41224"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35984: 'CHECK' fail in 'ParameterizedTruncatedNormal'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-p2xf-8hgm-hpw5", "transitive": false, "more_info_path": "/v/51073/f17", "id": "pyup.io-51073", "type": "cve", "cve": "CVE-2022-35984"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0a0,<2.1.2", ">=2.2.0a0,<2.2.1", ">=2.3.0a0,<2.3.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, and 2.3.1 include a fix for CVE-2020-15211: In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices for the tensors, indexing into an array of tensors that is owned by the subgraph. This results in a pattern of double array indexing when trying to get the data of each tensor. However, some operators can have some tensors be optional. To handle this scenario, the flatbuffer model uses a negative \"-1\" value as index for these tensors. This results in special casing during validation at model loading time. Unfortunately, this means that the \"-1\" index is a valid tensor index for any operator, including those that don't expect optional inputs and including for output tensors. Thus, this allows writing and reading from outside the bounds of heap allocated arrays, although only at a specific offset from the start of these arrays. This results in both read and write gadgets, albeit very limited in scope. The issue was patched in several commits (46d5b0852, 00302787b7, e11f5558, cd31fd0ce, 1970c21, and fff2c83). A potential workaround would be to add a custom \"Verifier\" to the model loading code to ensure that only operators which accept optional inputs use the \"-1\" special value and only for the tensors that they expect to be optional. Since this allow-list type approach is error-prone, it's advised upgrading to the patched code.", "transitive": false, "more_info_path": "/v/39958/f17", "id": "pyup.io-39958", "type": "cve", "cve": "CVE-2020-15211"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. The implementation of `AssignOp` can result in copying uninitialized data to a new tensor. This later results in undefined behavior. The implementation has a check that the left hand side of the assignment is initialized (to minimize number of allocations), but does not check that the right hand side is also initialized. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44858/f17", "id": "pyup.io-44858", "type": "cve", "cve": "CVE-2022-23573"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37648: In affected versions the code for 'tf.raw_ops.SaveV2' does not properly validate the inputs and an attacker can trigger a null pointer dereference. The implementation (https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/save_restore_v2_ops.cc) uses 'ValidateInputs' to check that the input arguments are valid. This validation would have caught the illegal state represented by the reproducer above. However, the validation uses 'OP_REQUIRES' which translates to setting the 'Status' object of the current 'OpKernelContext' to an error status, followed by an empty 'return' statement which just terminates the execution of the function it is present in. However, this does not mean that the kernel execution is finalized: instead, execution continues from the nQext line in 'Compute' that follows the call to 'ValidateInputs'. This is equivalent to lacking the validation. The Tensorflow team has patched the issue in GitHub commit 9728c60e136912a12d99ca56e106b7cce7af5986.", "transitive": false, "more_info_path": "/v/41123/f17", "id": "pyup.io-41123", "type": "cve", "cve": "CVE-2021-37648"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41205: In affected versions, the shape inference functions for the 'QuantizeAndDequantizeV*' operations can trigger a read outside of bounds of heap allocated array. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-49rx-x2rw-pc6f\r\nhttps://github.com/tensorflow/tensorflow/commit/7cf73a2274732c9d82af51c2bc2cf90d13cd7e6d", "transitive": false, "more_info_path": "/v/42452/f17", "id": "pyup.io-42452", "type": "cve", "cve": "CVE-2021-41205"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37641: In affected versions if the arguments to 'tf.raw_ops.RaggedGather' don't determine a valid ragged tensor code can trigger a read from outside of bounds of heap allocated buffers. The implementation (https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/ragged_gather_op.cc#L70) directly reads the first dimension of a tensor shape before checking that said tensor has rank of at least 1 (i.e., it is not a scalar). Furthermore, the implementation does not check that the list given by 'params_nested_splits' is not an empty list of tensors. The Tensorflow team has patched the issue in GitHub commit a2b743f6017d7b97af1fe49087ae15f0ac634373.", "transitive": false, "more_info_path": "/v/41116/f17", "id": "pyup.io-41116", "type": "cve", "cve": "CVE-2021-37641"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap OOB in 'QuantizeAndDequantizeV3'. See CVE-2021-29553.", "transitive": false, "more_info_path": "/v/40709/f17", "id": "pyup.io-40709", "type": "cve", "cve": "CVE-2021-29553"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41909: An input 'encoded' that is not a valid 'CompositeTensorVariant' tensor will trigger a segfault in 'tf.raw_ops.CompositeTensorVariantToComponents'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjx6-v474-2ch9", "transitive": false, "more_info_path": "/v/51962/f17", "id": "pyup.io-51962", "type": "cve", "cve": "CVE-2022-41909"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37639: When restoring tensors via raw APIs, if the tensor name is not provided, TensorFlow can be tricked into dereferencing a null pointer. Alternatively, attackers can read memory outside the bounds of heap allocated data by providing some tensor names but not enough for a successful restoration. The implementation (https://github.com/tensorflow/tensorflow/blob/47a06f40411a69c99f381495f490536972152ac0/tensorflow/core/kernels/save_restore_tensor.cc#L158-L159) retrieves the tensor list corresponding to the 'tensor_name' user controlled input and immediately retrieves the tensor at the restoration index (controlled via 'preferred_shard' argument). This occurs without validating that the provided list has enough values. If the list is empty this results in dereferencing a null pointer (undefined behavior). If, however, the list has some elements and if the restoration index is outside the bounds, this results in heap OOB read. The Tensorflow team has patched the issue in GitHub commit 9e82dce6e6bd1f36a57e08fa85af213e2b2f2622.", "transitive": false, "more_info_path": "/v/41114/f17", "id": "pyup.io-41114", "type": "cve", "cve": "CVE-2021-37639"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35964: Segfault in 'BlockLSTMGradV2'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-f7r5-q7cx-h668", "transitive": false, "more_info_path": "/v/51058/f17", "id": "pyup.io-51058", "type": "cve", "cve": "CVE-2022-35964"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41214: In affected versions, the shape inference code for 'tf.ragged.cross' has an undefined behavior due to binding a reference to 'nullptr'. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-vwhq-49r4-gj9v\r\nhttps://github.com/tensorflow/tensorflow/commit/fa6b7782fbb14aa08d767bc799c531f5e1fb3bb8", "transitive": false, "more_info_path": "/v/42461/f17", "id": "pyup.io-42461", "type": "cve", "cve": "CVE-2021-41214"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.5.0, 2.4.2, 2.3.3, 2.2.3 and 2.1.4 include a fix for CVE-2021-29548: An attacker can cause a runtime division by zero error and denial of service in `tf.raw_ops.QuantizedBatchNormWithGlobalNormalization`. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/55a97caa9e99c7f37a0bbbeb414dc55553d3ae7f/tensorflow/core/kernels/quantized_batch_norm_op.cc) does not validate all constraints specified in the op's contract (https://www.tensorflow.org/api_docs/python/tf/raw_ops/QuantizedBatchNormWithGlobalNormalization).", "transitive": false, "more_info_path": "/v/40468/f17", "id": "pyup.io-40468", "type": "cve", "cve": "CVE-2021-29548"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41908: TensorFlow is an open source platform for machine learning. An input 'token' that is not a UTF-8 bytestring will trigger a 'CHECK' fail in 'tf.raw_ops.PyFunc'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-mv77-9g28-cwg3", "transitive": false, "more_info_path": "/v/51961/f17", "id": "pyup.io-51961", "type": "cve", "cve": "CVE-2022-41908"}, {"specs": [">=2.3.0rc0,<2.3.1"], "advisory": "TensorFlow 2.3.1 includes a fix for CVE-2020-15198: In Tensorflow before version 2.3.1, the \"SparseCountSparseOutput\" implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the \"indices\" tensor has the same shape as the \"values\" one. The values in these tensors are always accessed in parallel. Thus, a shape mismatch can result in accesses outside the bounds of heap allocated buffers. The issue was patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-jc87-6vpp-7ff3", "transitive": false, "more_info_path": "/v/39865/f17", "id": "pyup.io-39865", "type": "cve", "cve": "CVE-2020-15198"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41219: In affected versions, the code for sparse matrix multiplication is vulnerable to undefined behavior via binding a reference to 'nullptr'. This occurs whenever the dimensions of 'a' or 'b' are 0 or less. In the case on one of these is 0, an empty output tensor should be allocated (to conserve the invariant that output tensors are always allocated when the operation is successful) but nothing should be written to it (that is, it should return early from the kernel implementation). Otherwise, attempts to write to this empty tensor would result in heap OOB access. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-4f99-p9c2-3j8x\r\nhttps://github.com/tensorflow/tensorflow/commit/e6cf28c72ba2eb949ca950d834dd6d66bb01cfae", "transitive": false, "more_info_path": "/v/42466/f17", "id": "pyup.io-42466", "type": "cve", "cve": "CVE-2021-41219"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29571: The implementation of 'tf.raw_ops.MaxPoolGradWithArgmax' can cause reads outside of bounds of heap allocated data if attacker supplies specially crafted inputs. The implementation (https://github.com/tensorflow/tensorflow/blob/31bd5026304677faa8a0b77602c6154171b9aec1/tensorflow/core/kernels/image/draw_bounding_box_op.cc#L116-L130) assumes that the last element of 'boxes' input is 4, as required by the op (https://www.tensorflow.org/api_docs/python/tf/raw_ops/DrawBoundingBoxesV2). Since this is not checked attackers passing values less than 4 can write outside of bounds of heap allocated objects and cause memory corruption. If the last dimension in 'boxes' is less than 4, accesses similar to 'tboxes(b, bb, 3)' will access data outside of bounds. Further during code execution there are also writes to these indices.", "transitive": false, "more_info_path": "/v/40470/f17", "id": "pyup.io-40470", "type": "cve", "cve": "CVE-2021-29571"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23581: The Grappler optimizer in TensorFlow can be used to cause a denial of service by altering a 'SavedModel' such that 'IsSimplifiableReshape' would trigger 'CHECK' failures.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-fq86-3f29-px2c", "transitive": false, "more_info_path": "/v/44866/f17", "id": "pyup.io-44866", "type": "cve", "cve": "CVE-2022-23581"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21737: The implementation of '*Bincount' operations allows malicious users to cause denial of service by passing in arguments which would trigger a 'CHECK'-fail. There are several conditions that the input arguments must satisfy. Some are not caught during shape inference and others are not caught during kernel implementation. This results in 'CHECK' failures later when the output tensors get allocated.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-f2vv-v9cg-qhh7", "transitive": false, "more_info_path": "/v/44789/f17", "id": "pyup.io-44789", "type": "cve", "cve": "CVE-2022-21737"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0rc0,<2.1.2", ">=2.2.0rc0,<2.2.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2 and 2.2.1 update its dependency \"SQLite\" to handle CVE-2020-11656.", "transitive": true, "more_info_path": "/v/39904/f17", "id": "pyup.io-39904", "type": "cve", "cve": "CVE-2020-11656"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow versions 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 include a fix for CVE-2021-29512: If the 'splits' argument of 'RaggedBincount' does not specify a valid 'SparseTensor' (https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTensor), then an attacker can trigger a heap buffer overflow. This will cause a read from outside the bounds of the 'splits' tensor buffer in the implementation of the 'RaggedBincount' op (https://github.com/tensorflow/tensorflow/blob/8b677d79167799f71c42fd3fa074476e0295413a/tensorflow/core/kernels/bincount_op.cc#L430-L433). Before the 'for' loop, 'batch_idx' is set to 0. The user controls the 'splits' array, making it contain only one element, 0. Thus, the code in the 'while' loop would increment 'batch_idx' and then try to read 'splits(1)', which is outside of bounds.", "transitive": false, "more_info_path": "/v/40464/f17", "id": "pyup.io-40464", "type": "cve", "cve": "CVE-2021-29512"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41900: The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-xvwp-h6jv-7472", "transitive": false, "more_info_path": "/v/51958/f17", "id": "pyup.io-51958", "type": "cve", "cve": "CVE-2022-41900"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41890: If 'BCast::ToShape' is given input larger than an 'int32', it will crash, despite being supposed to handle up to an 'int64'. An example can be seen in 'tf.experimental.numpy.outer' by passing in large input to the input 'b'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-h246-cgh4-7475", "transitive": false, "more_info_path": "/v/51949/f17", "id": "pyup.io-51949", "type": "cve", "cve": "CVE-2022-41890"}, {"specs": [">=2.2.0rc0,<2.2.1", ">=2.3.0rc0,<2.3.1"], "advisory": "TensorFlow versions 2.2.1 and 2.3.1 includes a fix for CVE-2020-15213: In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger a denial of service by causing an out of memory allocation in the implementation of segment sum. Since code uses the last element of the tensor holding them to determine the dimension of the output tensor, attackers can use a very large value to trigger a large allocation. The issue was patched in commit 204945b19e44b57906c9344c0d00120eeeae178a. A potential workaround is to add a custom \"Verifier\" to limit the maximum value in the segment ids tensor. This only handles the case when the segment ids are stored statically in the model, but a similar validation could be done if the segment ids are generated at runtime, between inference steps. However, if the segment ids are generated as outputs of a tensor during inference steps, then there are no possible workaround and users are advised to upgrade to patched code.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-hjmq-236j-8m87", "transitive": false, "more_info_path": "/v/39851/f17", "id": "pyup.io-39851", "type": "cve", "cve": "CVE-2020-15213"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37681: In affected versions the implementation of SVDF in TFLite is vulnerable to a null pointer error (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/svdf.cc#L300-L313). The 'GetVariableInput' function (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/kernel_util.cc#L115-L119) can return a null pointer but 'GetTensorData' assumes that the argument is always a valid tensor. Furthermore, because 'GetVariableInput' calls 'GetMutableInput' (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/kernel_util.cc#L82-L90) which might return 'nullptr', the 'tensor->is_variable' expression can also trigger a null pointer exception. The Tensorflow team has patched the issue in GitHub commit 5b048e87e4e55990dae6b547add4dae59f4e1c76.", "transitive": false, "more_info_path": "/v/41156/f17", "id": "pyup.io-41156", "type": "cve", "cve": "CVE-2021-37681"}, {"specs": ["<1.15.5", ">=2.0.0a0,<2.0.4", ">=2.1.0rc0,<2.1.3", ">=2.2.0rc0,<2.2.2", ">=2.3.0rc0,<2.3.2", ">=2.4.0rc0,<2.4.0"], "advisory": "Tensorflow versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2 and 2.4.0 includes a fix for CVE-2020-26268: In affected versions, the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is needed for the tensor it creates. However, as soon as there are enough bytes, the above snippet causes a segmentation fault. This is because the allocator used to return the buffer data is not marked as returning an opaque handle since the needed virtual method is not overridden.", "transitive": false, "more_info_path": "/v/39265/f17", "id": "pyup.io-39265", "type": "cve", "cve": "CVE-2020-26268"}, {"specs": [">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow version 2.6.1 includes a fix for CVE-2021-41220: In affected versions, the async implementation of 'CollectiveReduceV2' suffers from a memory leak and a use after free. This occurs due to the asynchronous computation and the fact that objects that have been 'std::move()'d are still accessed. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-gpfh-jvf9-7wg5\r\nhttps://github.com/tensorflow/tensorflow/commit/ca38dab9d3ee66c5de06f11af9a4b1200da5ef75", "transitive": false, "more_info_path": "/v/42467/f17", "id": "pyup.io-42467", "type": "cve", "cve": "CVE-2021-41220"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29192: missing validation which crashes 'QuantizeAndDequantizeV4Grad'.", "transitive": false, "more_info_path": "/v/48634/f17", "id": "pyup.io-48634", "type": "cve", "cve": "CVE-2022-29192"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23569: Multiple operations in TensorFlow can be used to trigger a denial of service via 'CHECK'-fails (i.e., assertion failures). This is similar to CVE-2021-41197 and has a similar fix. It is possible that other similar instances exist.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-qj5r-f9mv-rffh", "transitive": false, "more_info_path": "/v/44796/f17", "id": "pyup.io-44796", "type": "cve", "cve": "CVE-2022-23569"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35997: 'CHECK' fail in 'tf.sparse.cross'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-p7hr-f446-x6qf", "transitive": false, "more_info_path": "/v/51086/f17", "id": "pyup.io-51086", "type": "cve", "cve": "CVE-2022-35997"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. The implementation of `OpLevelCostEstimator::CalculateTensorSize` is vulnerable to an integer overflow if an attacker can create an operation which would involve a tensor with large enough number of elements. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44860/f17", "id": "pyup.io-44860", "type": "cve", "cve": "CVE-2022-23575"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23558: An attacker can craft a TFLite model that would cause an integer overflow in 'TfLiteIntArrayCreate'. The 'TfLiteIntArrayGetSizeInBytes' returns an 'int' instead of a 'size_t'. An attacker can control model inputs such that 'computed_size' overflows the size of 'int' datatype.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-9gwq-6cwj-47h3", "transitive": false, "more_info_path": "/v/44846/f17", "id": "pyup.io-44846", "type": "cve", "cve": "CVE-2022-23558"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29563: An attacker can cause a denial of service by exploiting a `CHECK`-failure coming from the implementation of `tf.raw_ops.RFFT`. Eigen code operating on an empty matrix can trigger on an assertion and will cause program termination.", "transitive": false, "more_info_path": "/v/40720/f17", "id": "pyup.io-40720", "type": "cve", "cve": "CVE-2021-29563"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29534: An attacker can trigger a denial of service via a 'CHECK'-fail in 'tf.raw_ops.SparseConcat'. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/b432a38fe0e1b4b904a6c222cbce794c39703e87/tensorflow/core/kernels/sparse_concat_op.cc#L76) takes the values specified in 'shapes[0]' as dimensions for the output shape. The 'TensorShape' constructor (https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188) uses a 'CHECK' operation which triggers when 'InitDims' (https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296) returns a non-OK status. This is a legacy implementation of the constructor and operations should use 'BuildTensorShapeBase' or 'AddDimWithStatus' to prevent 'CHECK'-failures in the presence of overflows.", "transitive": false, "more_info_path": "/v/40694/f17", "id": "pyup.io-40694", "type": "cve", "cve": "CVE-2021-29534"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21739: The implementation of 'QuantizedMaxPool' has an undefined behavior where user controlled inputs can trigger a reference binding to null pointer.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-3mw4-6rj6-74g5", "transitive": false, "more_info_path": "/v/44791/f17", "id": "pyup.io-44791", "type": "cve", "cve": "CVE-2022-21739"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29513: Calling TF operations with tensors of non-numeric types when the operations expect numeric tensors result in null pointer dereferences. The conversion from Python array to C++ array (https://github.com/tensorflow/tensorflow/blob/ff70c47a396ef1e3cb73c90513da4f5cb71bebba/tensorflow/python/lib/core/ndarray_tensor.cc#L113-L169) is vulnerable to a type confusion.", "transitive": false, "more_info_path": "/v/40465/f17", "id": "pyup.io-40465", "type": "cve", "cve": "CVE-2021-29513"}, {"specs": [">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow version 2.8.1 and 2.9.0 include a fix for CVE-2022-29210: Heap buffer overflow due to incorrect hash function.", "transitive": false, "more_info_path": "/v/48627/f17", "id": "pyup.io-48627", "type": "cve", "cve": "CVE-2022-29210"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23559: An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations. Both 'embedding_size' and 'lookup_size' are products of values provided by the user. Hence, a malicious user could trigger overflows in the multiplication. In certain scenarios, this can then result in heap OOB read/write.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-98p5-x8x4-c9m5", "transitive": false, "more_info_path": "/v/44847/f17", "id": "pyup.io-44847", "type": "cve", "cve": "CVE-2022-23559"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35998: 'CHECK' fail in 'EmptyTensorList'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-qhw4-wwr7-gjc5", "transitive": false, "more_info_path": "/v/51087/f17", "id": "pyup.io-51087", "type": "cve", "cve": "CVE-2022-35998"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21729: The implementation of 'UnravelIndex' is vulnerable to a division by zero caused by an integer overflow bug.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-34f9-hjfq-rr8j", "transitive": false, "more_info_path": "/v/44781/f17", "id": "pyup.io-44781", "type": "cve", "cve": "CVE-2022-21729"}, {"specs": ["<1.7.1"], "advisory": "Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file. See CVE-2018-10055.", "transitive": false, "more_info_path": "/v/40786/f17", "id": "pyup.io-40786", "type": "cve", "cve": "CVE-2018-10055"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37658: In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in all operations of type 'tf.raw_ops.MatrixSetDiagV*'. The implementation (https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/linalg/matrix_diag_op.cc) has incomplete validation that the value of 'k' is a valid tensor. We have check that this value is either a scalar or a vector, but there is no check for the number of elements. If this is an empty tensor, then code that accesses the first element of the tensor is wrong. The Tensorflow team has patched the issue in GitHub commit ff8894044dfae5568ecbf2ed514c1a37dc394f1b.", "transitive": false, "more_info_path": "/v/41133/f17", "id": "pyup.io-41133", "type": "cve", "cve": "CVE-2021-37658"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36013: Null-dereference in 'mlir::tfg::GraphDefImporter::ConvertNodeDef'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-828c-5j5q-vrjq", "transitive": false, "more_info_path": "/v/51097/f17", "id": "pyup.io-51097", "type": "cve", "cve": "CVE-2022-36013"}, {"specs": [">=2.3.0rc0,<2.3.1"], "advisory": "TensorFlow version 2.3.1 includes a fix for CVE-2020-15196: In Tensorflow version 2.3.0, the \"SparseCountSparseOutput\" and \"RaggedCountSparseOutput\" implementations don't validate that the \"weights\" tensor has the same shape as the data. The check exists for \"DenseCountSparseOutput\", where both tensors are fully specified. In the sparse and ragged count weights are still accessed in parallel with the data. But, since there is no validation, a user passing fewer weights than the values for the tensors can generate a read from outside the bounds of the heap buffer allocated for the weights. The issue was patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-pg59-2f92-5cph", "transitive": false, "more_info_path": "/v/39867/f17", "id": "pyup.io-39867", "type": "cve", "cve": "CVE-2020-15196"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41907: When 'tf.raw_ops.ResizeNearestNeighborGrad' is given a large 'size' input, it overflows.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-368v-7v32-52fx", "transitive": false, "more_info_path": "/v/51960/f17", "id": "pyup.io-51960", "type": "cve", "cve": "CVE-2022-41907"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35981: 'CHECK' fail in 'FractionalMaxPoolGrad'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-vxv8-r8q2-63xw", "transitive": false, "more_info_path": "/v/51070/f17", "id": "pyup.io-51070", "type": "cve", "cve": "CVE-2022-35981"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21727: The implementation of shape inference for 'Dequantize' is vulnerable to an integer overflow weakness. The 'axis' argument can be '-1' (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not checked, and, since the code computes 'axis + 1', an attacker can trigger an integer overflow.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-c6fh-56w7-fvjw", "transitive": false, "more_info_path": "/v/44779/f17", "id": "pyup.io-44779", "type": "cve", "cve": "CVE-2022-21727"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1"], "advisory": "Tensorflow version 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37682:\r\nIn affected versions all TFLite operations that use quantization can be made to use unitialized values. (For example, https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/depthwise_conv.cc#L198-L200). The issue stems from the fact that \"quantization.params\" is only valid if \"quantization.type\" is different that \"kTfLiteNoQuantization\". However, these checks are missing in large parts of the code. The Tensorflow team has patched the issue in GitHub commits 537bc7c723439b9194a358f64d871dd326c18887, 4a91f2069f7145aab6ba2d8cfe41be8a110c18a5 and 8933b8a21280696ab119b63263babdb54c298538.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-4c4g-crqm-xrxw\r\nhttps://github.com/tensorflow/tensorflow/commit/4a91f2069f7145aab6ba2d8cfe41be8a110c18a5\r\nhttps://github.com/tensorflow/tensorflow/commit/537bc7c723439b9194a358f64d871dd326c18887\r\nhttps://github.com/tensorflow/tensorflow/commit/8933b8a21280696ab119b63263babdb54c298538", "transitive": false, "more_info_path": "/v/41157/f17", "id": "pyup.io-41157", "type": "cve", "cve": "CVE-2021-37682"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41902: The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-cg88-rpvp-cjv5", "transitive": false, "more_info_path": "/v/52347/f17", "id": "pyup.io-52347", "type": "cve", "cve": "CVE-2022-41902"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23564: When decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a 'CHECK' assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow processes.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-8rcj-c8pj-v3m3", "transitive": false, "more_info_path": "/v/44852/f17", "id": "pyup.io-44852", "type": "cve", "cve": "CVE-2022-23564"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41896: If 'ThreadUnsafeUnigramCandidateSampler' is given input 'filterbank_channel_count' greater than the allowed max size, TensorFlow will crash.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-rmg2-f698-wq35", "transitive": false, "more_info_path": "/v/51954/f17", "id": "pyup.io-51954", "type": "cve", "cve": "CVE-2022-41896"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36000: 'CHECK' fail in 'Eig'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-fqxc-pvf8-2w9v", "transitive": false, "more_info_path": "/v/51089/f17", "id": "pyup.io-51089", "type": "cve", "cve": "CVE-2022-36000"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23560: An attacker can craft a TFLite model that would allow limited reads and writes outside of arrays in TFLite. This exploits missing validation in the conversion from sparse tensors to dense tensors.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-4hvf-hxvg-f67v", "transitive": false, "more_info_path": "/v/44848/f17", "id": "pyup.io-44848", "type": "cve", "cve": "CVE-2022-23560"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41207: In affected versions, the implementation of 'ParallelConcat' misses some input validation and can produce a division by 0. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-7v94-64hj-m82h\r\nhttps://github.com/tensorflow/tensorflow/commit/f2c3931113eaafe9ef558faaddd48e00a6606235", "transitive": false, "more_info_path": "/v/42454/f17", "id": "pyup.io-42454", "type": "cve", "cve": "CVE-2021-41207"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41202: In affected versions, while calculating the size of the output within the 'tf.range' kernel, there is a conditional statement of type 'int64 = condition ? int64 : double'. Due to C++ implicit conversion rules, both branches of the condition will be cast to 'double' and the result would be truncated before the assignment. This result in overflows. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-xrqm-fpgr-6hhx", "transitive": false, "more_info_path": "/v/42449/f17", "id": "pyup.io-42449", "type": "cve", "cve": "CVE-2021-41202"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41204: In affected versions, during TensorFlow's Grappler optimizer phase, constant folding might attempt to deep copy a resource tensor. This results in a segfault, as these tensors are supposed to not change. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-786j-5qwq-r36x\r\nhttps://github.com/tensorflow/tensorflow/commit/7731e8dfbe4a56773be5dc94d631611211156659", "transitive": false, "more_info_path": "/v/42451/f17", "id": "pyup.io-42451", "type": "cve", "cve": "CVE-2021-41204"}, {"specs": [">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37688: In affected versions an attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service. The [implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/internal/optimized/optimized_ops.h#L268-L285) unconditionally dereferences a pointer. The Tensorflow team has patched the issue in GitHub commit 15691e456c7dc9bd6be203b09765b063bf4a380c.", "transitive": false, "more_info_path": "/v/41163/f17", "id": "pyup.io-41163", "type": "cve", "cve": "CVE-2021-37688"}, {"specs": [">=2.3.0rc0,<2.3.4rc0", ">=2.4.0rc0,<2.4.3rc0", ">=2.5.0rc0,<=2.5.0", ">=2.6.0rc0,<2.6.0"], "advisory": "Several versions of TensorFlow are affected by CVE-2021-37686: In affected versions, the strided slice implementation in TFLite has a logic bug which can allow an attacker to trigger an infinite loop. This arises from newly introduced support for ellipsis in axis definition (https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/strided_slice.cc#L103-L122). An attacker can craft a model such that 'ellipsis_end_idx' is smaller than 'i' (e.g., always negative). In this case, the inner loop does not increase 'i' and the 'continue' statement causes execution to skip over the preincrement at the end of the outer loop. The Tensorflow team has patched the issue in GitHub commit dfa22b348b70bb89d6d6ec0ff53973bacb4f4695.", "transitive": false, "more_info_path": "/v/41161/f17", "id": "pyup.io-41161", "type": "cve", "cve": "CVE-2021-37686"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35992: 'CHECK' fail in 'TensorListFromTensor'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-9v8w-xmr4-wgxp", "transitive": false, "more_info_path": "/v/51081/f17", "id": "pyup.io-51081", "type": "cve", "cve": "CVE-2022-35992"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35986: Segfault in 'RaggedBincount'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-wr9v-g9vf-c74v", "transitive": false, "more_info_path": "/v/51075/f17", "id": "pyup.io-51075", "type": "cve", "cve": "CVE-2022-35986"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29550: An attacker can cause a runtime division by zero error and denial of service in `tf.raw_ops.FractionalAvgPool`. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_avg_pool_op.cc#L85-L89) computes a divisor quantity by dividing two user controlled values. The user controls the values of `input_size[i]` and `pooling_ratio_[i]` (via the `value.shape()` and `pooling_ratio` arguments). If the value in `input_size[i]` is smaller than the `pooling_ratio_[i]`, then the floor operation results in `output_size[i]` being 0. The `DCHECK_GT` line is a no-op outside of debug mode, so in released versions of TF this does not trigger. Later, these computed values are used as arguments (https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_avg_pool_op.cc#L96-L99) to `GeneratePoolingSequence`(https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_pool_common.cc#L100-L108). There, the first computation is a division in a modulo operation. Since `output_length` can be 0, this results in runtime crashing.", "transitive": false, "more_info_path": "/v/40707/f17", "id": "pyup.io-40707", "type": "cve", "cve": "CVE-2021-29550"}, {"specs": [">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4", ">=2.5.0rc0,<2.5.0"], "advisory": "Tensorflow 2.5.0, 2.4.2, 2.3.3, 2.2.3, and 2.1.4 include a fix for CVE-2021-29614: The implementation of 'tf.io.decode_raw' produces incorrect results and crashes the Python interpreter when combining 'fixed_length' and wider datatypes. The implementation of the padded version (https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc) is buggy due to a confusion about pointer arithmetic rules. First, the code computes (https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L61) the width of each output element by dividing the 'fixed_length' value to the size of the type argument. The 'fixed_length' argument is also used to determine the size needed for the output tensor (https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L63-L79). This is followed by reencoding code (https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L85-L94). The erroneous code is the last line above: it is moving the 'out_data' pointer by 'fixed_length * sizeof (T)' bytes whereas it only copied at most 'fixed_length' bytes from the input. This results in parts of the input not being decoded into the output. Furthermore, because the pointer advance is far wider than desired, this quickly leads to writing to outside the bounds of the backing data. This OOB write leads to interpreter crash in the reproducer mentioned here, but more severe attacks can be mounted too, given that this gadget allows writing to periodically placed locations in memory.", "transitive": false, "more_info_path": "/v/40472/f17", "id": "pyup.io-40472", "type": "cve", "cve": "CVE-2021-29614"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41199: In affected versions, if 'tf.image.resize' is called with a large input argument then the TensorFlow process will crash due to a 'CHECK'-failure caused by an overflow. The number of elements in the output tensor is too much for the 'int64_t' type and the overflow is detected via a 'CHECK' statement. This aborts the process. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-5hx2-qx8j-qjqm", "transitive": false, "more_info_path": "/v/42446/f17", "id": "pyup.io-42446", "type": "cve", "cve": "CVE-2021-41199"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21725: The estimator for the cost of some convolution operations can be made to execute a division by 0. The function fails to check that the stride argument is strictly positive. Hence, the fix is to add a check for the stride argument to ensure it is valid.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-v3f7-j968-4h5f", "transitive": false, "more_info_path": "/v/44777/f17", "id": "pyup.io-44777", "type": "cve", "cve": "CVE-2022-21725"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29191: Missing validation which causes denial of service via 'GetSessionTensor'.", "transitive": false, "more_info_path": "/v/48636/f17", "id": "pyup.io-48636", "type": "cve", "cve": "CVE-2022-29191"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23557: An attacker can craft a TFLite model that would trigger a division by zero in 'BiasAndClamp' implementation. There is no check that the 'bias_size' is non zero.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-gf2j-f278-xh4v", "transitive": false, "more_info_path": "/v/44845/f17", "id": "pyup.io-44845", "type": "cve", "cve": "CVE-2022-23557"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23565: An attacker can trigger denial of service via assertion failure by altering a 'SavedModel' on disk such that 'AttrDef's of some operation are duplicated.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-4v5p-v5h9-6xjx", "transitive": false, "more_info_path": "/v/44853/f17", "id": "pyup.io-44853", "type": "cve", "cve": "CVE-2022-23565"}, {"specs": ["<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.9.3 and 2.10.1 include a fix for CVE-2022-41887: 'tf.keras.losses.poisson' receives a 'y_pred' and 'y_true' that are passed through 'functor::mul' in 'BinaryOp'. If the resulting dimensions overflow an 'int32', TensorFlow will crash due to a size mismatch during broadcast assignment.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-8fvv-46hw-vpg3", "transitive": false, "more_info_path": "/v/51946/f17", "id": "pyup.io-51946", "type": "cve", "cve": "CVE-2022-41887"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29546: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger an integer division by zero undefined behavior in `tf.raw_ops.QuantizedBiasAdd`. This is because the implementation of the Eigen kernel (https://github.com/tensorflow/tensorflow/blob/61bca8bd5ba8a68b2d97435ddfafcdf2b85672cd/tensorflow/core/kernels/quantization_utils.h#L812-L849) does a division by the number of elements of the smaller input (based on shape) without checking that this is not zero.", "transitive": false, "more_info_path": "/v/40704/f17", "id": "pyup.io-40704", "type": "cve", "cve": "CVE-2021-29546"}, {"specs": ["<2.4.0"], "advisory": "TensorFlow 2.4.0 includes a fix for CVE-2020-15265: In Tensorflow before version 2.4.0, an attacker can pass an invalid `axis` value to `tf.quantization.quantize_and_dequantize`. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However, dim_size only does a DCHECK to validate the argument and then uses it to access the corresponding element of an array. Since in normal builds, `DCHECK`-like macros are no-ops, this results in segfault and access out of bounds of the array. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.", "transitive": false, "more_info_path": "/v/40794/f17", "id": "pyup.io-40794", "type": "cve", "cve": "CVE-2020-15265"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29514: If the 'splits' argument of 'RaggedBincount' does not specify a valid 'SparseTensor' (https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTensor), then an attacker can trigger a heap buffer overflow. This will cause a read from outside the bounds of the 'splits' tensor buffer in the implementation of the 'RaggedBincount' op (https://github.com/tensorflow/tensorflow/blob/8b677d79167799f71c42fd3fa074476e0295413a/tensorflow/core/kernels/bincount_op.cc#L430-L446). Before the 'for' loop, 'batch_idx' is set to 0. The attacker sets 'splits(0)' to be 7, hence the 'while' loop does not execute and 'batch_idx' remains 0. This then results in writing to 'out(-1, bin)', which is before the heap allocated buffer for the output tensor.", "transitive": false, "more_info_path": "/v/40466/f17", "id": "pyup.io-40466", "type": "cve", "cve": "CVE-2021-29514"}, {"specs": ["<2.6.4", ">=2.7.0rc0,<2.7.2", ">=2.8.0rc0,<2.8.1", ">=2.9.0rc0,<2.9.0"], "advisory": "Tensorflow versions 2.6.4, 2.7.2, 2.8.1 and 2.9.0 include a fix for CVE-2022-29212: Core dump when loading TFLite models with quantization.", "transitive": false, "more_info_path": "/v/48652/f17", "id": "pyup.io-48652", "type": "cve", "cve": "CVE-2022-29212"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23580: During shape inference, TensorFlow can allocate a large vector based on a value from a tensor controlled by the user.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-627q-g293-49q7", "transitive": false, "more_info_path": "/v/44865/f17", "id": "pyup.io-44865", "type": "cve", "cve": "CVE-2022-23580"}, {"specs": [">=2.5.0rc0,<2.5.1", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.5.1 and 2.6.0 include a fix for CVE-2021-37640: In affected versions the implementation of 'tf.raw_ops.SparseReshape' can be made to trigger an integral division by 0 exception. The implementation (https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/reshape_util.cc#L176-L181) calls the reshaping functor whenever there is at least an index in the input but does not check that shape of the input or the target shape have both a non-zero number of elements. The reshape functor (https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/reshape_util.cc#L40-L78) blindly divides by the dimensions of the target shape. Hence, if this is not checked, code will result in a division by 0. The Tensorflow team has patched the issue in GitHub commit 4923de56ec94fff7770df259ab7f2288a74feb41.", "transitive": false, "more_info_path": "/v/41115/f17", "id": "pyup.io-41115", "type": "cve", "cve": "CVE-2021-37640"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41213: In affected versions, the code behind 'tf.function' API can be made to deadlock when two 'tf.function' decorated Python functions are mutually recursive. This occurs due to using a non-reentrant 'Lock' Python object. Loading any model which contains mutually recursive functions is vulnerable. An attacker can cause denial of service by causing users to load such models and calling a recursive 'tf.function', although this is not a frequent scenario.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-h67m-xg8f-fxcf\r\nhttps://github.com/tensorflow/tensorflow/commit/afac8158d43691661ad083f6dd9e56f327c1dcb7", "transitive": false, "more_info_path": "/v/42460/f17", "id": "pyup.io-42460", "type": "cve", "cve": "CVE-2021-41213"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35973: Segfault in 'QuantizedMatMul'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v", "transitive": false, "more_info_path": "/v/51067/f17", "id": "pyup.io-51067", "type": "cve", "cve": "CVE-2022-35973"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29560: An attacker can cause a heap buffer overflow in `tf.raw_ops.RaggedTensorToTensor`. This is because the implementation (https://github.com/tensorflow/tensorflow/blob/d94227d43aa125ad8b54115c03cece54f6a1977b/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L219-L222) uses the same index to access two arrays in parallel. Since the user controls the shape of the input arguments, an attacker could trigger a heap OOB access when 'parent_output_index' is shorter than 'row_split'.", "transitive": false, "more_info_path": "/v/40717/f17", "id": "pyup.io-40717", "type": "cve", "cve": "CVE-2021-29560"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36026: 'CHECK' fail in 'QuantizeAndDequantizeV3'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-9cr2-8pwr-fhfq", "transitive": false, "more_info_path": "/v/51104/f17", "id": "pyup.io-51104", "type": "cve", "cve": "CVE-2022-36026"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35966: Segfault in 'QuantizedAvgPool'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-4w68-4x85-mjj9", "transitive": false, "more_info_path": "/v/51060/f17", "id": "pyup.io-51060", "type": "cve", "cve": "CVE-2022-35966"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.4.0rc0,<2.4.2", ">=2.3.0rc0,<2.3.3", ">=2.2.0rc0,<2.2.3", ">=2.1.0rc0,<2.1.4"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29610: The validation in 'tf.raw_ops.QuantizeAndDequantizeV2' allows invalid values for 'axis' argument:. The validation (https://github.com/tensorflow/tensorflow/blob/eccb7ec454e6617738554a255d77f08e60ee0808/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L74-L77) uses '||' to mix two different conditions. If 'axis_ < -1' the condition in 'OP_REQUIRES' will still be true, but this value of 'axis_' results in heap underflow. This allows attackers to read/write to other data on the heap.", "transitive": false, "more_info_path": "/v/40764/f17", "id": "pyup.io-40764", "type": "cve", "cve": "CVE-2021-29610"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35982: Segfault in 'SparseBincount'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-397c-5g2j-qxpv", "transitive": false, "more_info_path": "/v/51071/f17", "id": "pyup.io-51071", "type": "cve", "cve": "CVE-2022-35982"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35993: 'CHECK' fail in 'SetSize'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-wq6q-6m32-9rv9", "transitive": false, "more_info_path": "/v/51082/f17", "id": "pyup.io-51082", "type": "cve", "cve": "CVE-2022-35993"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23591: The 'GraphDef' format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a 'GraphDef' containing a fragment such as the following can be consumed when loading a 'SavedModel'. This would result in a stack overflow during execution as resolving each 'NodeDef' means resolving the function itself and its nodes.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-247x-2f9f-5wp7", "transitive": false, "more_info_path": "/v/44876/f17", "id": "pyup.io-44876", "type": "cve", "cve": "CVE-2022-23591"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41886: When 'tf.raw_ops.ImageProjectiveTransformV2' is given a large output shape, it overflows.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-54pp-c6pp-7fpx", "transitive": false, "more_info_path": "/v/51945/f17", "id": "pyup.io-51945", "type": "cve", "cve": "CVE-2022-41886"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37664: In affected versions an attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to `BoostedTreesSparseCalculateBestFeatureSplit`. The [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/boosted_trees/stats_ops.cc) needs to validate that each value in `stats_summary_indices` is in range. The Tensorflow team has patched the issue in GitHub commit e84c975313e8e8e38bb2ea118196369c45c51378.", "transitive": false, "more_info_path": "/v/41139/f17", "id": "pyup.io-41139", "type": "cve", "cve": "CVE-2021-37664"}, {"specs": [">=2.5.0rc0,<2.5.0", ">=2.1.0rc0,<2.1.4", ">=2.2.0rc0,<2.2.3", ">=2.3.0rc0,<2.3.3", ">=2.4.0rc0,<2.4.2"], "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2021-29539: TensorFlow is an end-to-end open source platform for machine learning. Calling `tf.raw_ops.ImmutableConst`(https://www.tensorflow.org/api_docs/python/tf/raw_ops/ImmutableConst) with a `dtype` of `tf.resource` or `tf.variant` results in a segfault in the implementation as code assumes that the tensor contents are pure scalars. We have patched the issue in 4f663d4b8f0bec1b48da6fa091a7d29609980fa4 and will release TensorFlow 2.5.0 containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved. If using `tf.raw_ops.ImmutableConst` in code, you can prevent the segfault by inserting a filter for the `dtype` argument.", "transitive": false, "more_info_path": "/v/40467/f17", "id": "pyup.io-40467", "type": "cve", "cve": "CVE-2021-29539"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21738: The implementation of 'SparseCountSparseOutput' can be made to crash a TensorFlow process by an integer overflow whose result is then used in a memory allocation.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-x4qx-4fjv-hmw6", "transitive": false, "more_info_path": "/v/44790/f17", "id": "pyup.io-44790", "type": "cve", "cve": "CVE-2022-21738"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36016: 'CHECK'-fail in 'tensorflow::full_type::SubstituteFromAttrs'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-g468-qj8g-vcjc", "transitive": false, "more_info_path": "/v/51100/f17", "id": "pyup.io-51100", "type": "cve", "cve": "CVE-2022-36016"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41222: In affected versions, the implementation of 'SplitV' can trigger a segfault if an attacker supplies negative arguments. This occurs whenever 'size_splits' contains more than one value and at least one value is negative. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-cpf4-wx82-gxp6\r\nhttps://github.com/tensorflow/tensorflow/commit/25d622ffc432acc736b14ca3904177579e733cc6", "transitive": false, "more_info_path": "/v/42469/f17", "id": "pyup.io-42469", "type": "cve", "cve": "CVE-2021-41222"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35988: 'CHECK' fail in 'tf.linalg.matrix_rank'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-9vqj-64pv-w55c", "transitive": false, "more_info_path": "/v/51077/f17", "id": "pyup.io-51077", "type": "cve", "cve": "CVE-2022-35988"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35965: Segfault in 'LowerBound' and 'UpperBound'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-qxpx-j395-pw36", "transitive": false, "more_info_path": "/v/51059/f17", "id": "pyup.io-51059", "type": "cve", "cve": "CVE-2022-35965"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35967: Segfault in 'QuantizedAdd'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-v6h3-348g-6h5x", "transitive": false, "more_info_path": "/v/51061/f17", "id": "pyup.io-51061", "type": "cve", "cve": "CVE-2022-35967"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35968: 'CHECK' fail in 'AvgPoolGrad'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-2475-53vw-vp25", "transitive": false, "more_info_path": "/v/51062/f17", "id": "pyup.io-51062", "type": "cve", "cve": "CVE-2022-35968"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35970: Segfault in 'QuantizedInstanceNorm'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-g35r-369w-3fqp", "transitive": false, "more_info_path": "/v/51064/f17", "id": "pyup.io-51064", "type": "cve", "cve": "CVE-2022-35970"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0a0,<2.1.2", ">=2.2.0a0,<2.2.1", ">=2.3.0a0,<2.3.1"], "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 include a fix for CVE-2020-15203: In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the 'fill' argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a 'printf' call is constructed. This may result in segmentation fault.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-xmq7-7fxm-rr79", "transitive": false, "more_info_path": "/v/39942/f17", "id": "pyup.io-39942", "type": "cve", "cve": "CVE-2020-15203"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a use after free behavior when decoding PNG images. After `png::CommonFreeDecode(&decode)` gets called, the values of `decode.width` and `decode.height` are in an unspecified state. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.", "transitive": false, "more_info_path": "/v/44869/f17", "id": "pyup.io-44869", "type": "cve", "cve": "CVE-2022-23584"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41221: In affected versions, the shape inference code for the 'Cudnn*' operations can be tricked into accessing invalid memory via a heap buffer overflow. This occurs because the ranks of the 'input', 'input_h' and 'input_c' parameters are not validated, but code assumes they have certain values. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-cqv6-3phm-hcwx\r\nhttps://github.com/tensorflow/tensorflow/commit/af5fcebb37c8b5d71c237f4e59c6477015c78ce6", "transitive": false, "more_info_path": "/v/42468/f17", "id": "pyup.io-42468", "type": "cve", "cve": "CVE-2021-41221"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23582: A malicious user can cause a denial of service by altering a 'SavedModel' such that 'TensorByteSize' would trigger 'CHECK' failures. 'TensorShape' constructor throws a 'CHECK'-fail if shape is partial or has a number of elements that would overflow the size of an 'int'. The 'PartialTensorShape' constructor instead does not cause a 'CHECK'-abort if the shape is partial, which is exactly what this function needs to be able to return '-1'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-4j82-5ccr-4r8v", "transitive": false, "more_info_path": "/v/44867/f17", "id": "pyup.io-44867", "type": "cve", "cve": "CVE-2022-23582"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36001: 'CHECK' fail in 'DrawBoundingBoxes'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-jqm7-m5q7-3hm5", "transitive": false, "more_info_path": "/v/51090/f17", "id": "pyup.io-51090", "type": "cve", "cve": "CVE-2022-36001"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35963: 'CHECK' failures in 'FractionalAvgPoolGrad'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-84jm-4cf3-9jfm", "transitive": false, "more_info_path": "/v/51057/f17", "id": "pyup.io-51057", "type": "cve", "cve": "CVE-2022-35963"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21726: The implementation of 'Dequantize' does not fully validate the value of 'axis' and can result in heap OOB accesses. The 'axis' argument can be '-1' (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not checked and this results in reading past the end of the array containing the dimensions of the input tensor.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-23hm-7w47-xw72", "transitive": false, "more_info_path": "/v/44778/f17", "id": "pyup.io-44778", "type": "cve", "cve": "CVE-2022-21726"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23561: An attacker can craft a TFLite model that would cause a write outside of bounds of an array in TFLite. In fact, the attacker can override the linked list used by the memory allocator. This can be leveraged for an arbitrary write primitive under certain conditions.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c78-vcq7-7vxq", "transitive": false, "more_info_path": "/v/44849/f17", "id": "pyup.io-44849", "type": "cve", "cve": "CVE-2022-23561"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41212: In affected versions, the shape inference code for 'tf.ragged.cross' can trigger a read outside of bounds of heap allocated array. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-fr77-rrx3-cp7g\r\nhttps://github.com/tensorflow/tensorflow/commit/fa6b7782fbb14aa08d767bc799c531f5e1fb3bb8", "transitive": false, "more_info_path": "/v/42459/f17", "id": "pyup.io-42459", "type": "cve", "cve": "CVE-2021-41212"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37680: In affected versions the implementation of fully connected layers in TFLite is vulnerable to a division by zero error (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/fully_connected.cc#L226). The Tensorflow team has patched the issue in GitHub commit 718721986aa137691ee23f03638867151f74935f.", "transitive": false, "more_info_path": "/v/41155/f17", "id": "pyup.io-41155", "type": "cve", "cve": "CVE-2021-37680"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35999: 'CHECK' fail in 'Conv2DBackpropInput'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-37jf-mjv6-xfqw", "transitive": false, "more_info_path": "/v/51088/f17", "id": "pyup.io-51088", "type": "cve", "cve": "CVE-2022-35999"}, {"specs": ["<1.15.4", ">=2.0.0a0,<2.0.3", ">=2.1.0rc0,<2.1.2", ">=2.2.0rc0,<2.2.1", ">=2.3.0rc0,<2.3.1"], "advisory": "TensorFlow 2.4.0 includes a fix for CVE-2020-15194: In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `SparseFillEmptyRowsGrad` implementation has incomplete validation of the shapes of its arguments. Although `reverse_index_map_t` and `grad_values_t` are accessed in a similar pattern, only `reverse_index_map_t` is validated to be of proper shape. Hence, malicious users can pass a bad `grad_values_t` to trigger an assertion failure in `vec`, causing denial of service in serving installations. The issue is patched in commit 390611e0d45c5793c7066110af37c8514e6a6c54, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.\"", "transitive": false, "more_info_path": "/v/39869/f17", "id": "pyup.io-39869", "type": "cve", "cve": "CVE-2020-15194"}, {"specs": [">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3", ">=2.3.0rc0,<2.3.4", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37691: In affected versions an attacker can craft a TFLite model that would trigger a division by zero error in LSH [implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/lsh_projection.cc#L118). The Tensorflow team has patched the issue in GitHub commit 0575b640091680cfb70f4dd93e70658de43b94f9.", "transitive": false, "more_info_path": "/v/41167/f17", "id": "pyup.io-41167", "type": "cve", "cve": "CVE-2021-37691"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", " >=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41210: In affected versions, the shape inference functions for 'SparseCountSparseOutput' can trigger a read outside of bounds of heap allocated array. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-m342-ff57-4jcc\r\nhttps://github.com/tensorflow/tensorflow/commit/701cfaca222a82afbeeb17496bd718baa65a67d2", "transitive": false, "more_info_path": "/v/42457/f17", "id": "pyup.io-42457", "type": "cve", "cve": "CVE-2021-41210"}, {"specs": ["<2.8.4", ">=2.9.0rc0,<2.9.3", ">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.8.4, 2.9.3 and 2.10.1 include a fix for CVE-2022-41894: The reference kernel of the 'CONV_3D_TRANSPOSE' TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result. Instead of 'data_ptr += num_channels;' it should be 'data_ptr += output_num_channels;' as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels. An attacker can craft a model with a specific number of input channels. It is then possible to write specific values through the bias of the layer outside the bounds of the buffer. This attack only works if the reference kernel resolver is used in the interpreter.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6q3-vv32-2cq5", "transitive": false, "more_info_path": "/v/51952/f17", "id": "pyup.io-51952", "type": "cve", "cve": "CVE-2022-41894"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35995: 'CHECK' fail in 'AudioSummaryV2'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-g9h5-vr8m-x2h4", "transitive": false, "more_info_path": "/v/51084/f17", "id": "pyup.io-51084", "type": "cve", "cve": "CVE-2022-35995"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "TensorFlow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41225: In affected versions, TensorFlow's Grappler optimizer has a use of unitialized variable. If the 'train_nodes' vector (obtained from the saved model that gets optimized) does not contain a 'Dequeue' node, then 'dequeue_node' is left unitialized. The fix is also included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-7r94-xv9v-63jw\r\nhttps://github.com/tensorflow/tensorflow/commit/68867bf01239d9e1048f98cbad185bf4761bedd3", "transitive": false, "more_info_path": "/v/42472/f17", "id": "pyup.io-42472", "type": "cve", "cve": "CVE-2021-41225"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37653: In affected versions an attacker can trigger a crash via a floating point exception in 'tf.raw_ops.ResourceGather'. The implementation (https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/resource_variable_ops.cc#L725-L731) computes the value of a value, 'batch_size', and then divides by it without checking that this value is not 0. The Tensorflow team has patched the issue in GitHub commit ac117ee8a8ea57b73d34665cdf00ef3303bc0b11.", "transitive": false, "more_info_path": "/v/41128/f17", "id": "pyup.io-41128", "type": "cve", "cve": "CVE-2021-37653"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35971: 'CHECK' fail in 'FakeQuantWithMinMaxVars'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-9fpg-838v-wpv7", "transitive": false, "more_info_path": "/v/51065/f17", "id": "pyup.io-51065", "type": "cve", "cve": "CVE-2022-35971"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37636: In affected versions the implementation of 'tf.raw_ops.SparseDenseCwiseDiv' is vulnerable to a division by 0 error. The implementation (https://github.com/tensorflow/tensorflow/blob/a1bc56203f21a5a4995311825ffaba7a670d7747/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc#L56) uses a common class for all binary operations but fails to treat the division by 0 case separately. The Tensorflow team has patched the issue in GitHub commit d9204be9f49520cdaaeb2541d1dc5187b23f31d9.", "transitive": false, "more_info_path": "/v/41111/f17", "id": "pyup.io-41111", "type": "cve", "cve": "CVE-2021-37636"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36004: 'CHECK' fail in 'tf.random.gamma'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-mv8m-8x97-937q", "transitive": false, "more_info_path": "/v/51093/f17", "id": "pyup.io-51093", "type": "cve", "cve": "CVE-2022-36004"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37660: In affected versions an attacker can cause a floating point exception by calling inplace operations with crafted arguments that would result in a division by 0. The implementation (https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/inplace_ops.cc#L283) has a logic error: it should skip processing if 'x' and 'v' are empty but the code uses '||' instead of '&&'. The Tensorflow team has patched the issue in GitHub commit e86605c0a336c088b638da02135ea6f9f6753618.", "transitive": false, "more_info_path": "/v/41135/f17", "id": "pyup.io-41135", "type": "cve", "cve": "CVE-2021-37660"}, {"specs": [">=2.6.0rc0,<2.6.0", ">=2.3.0rc0,<2.3.4", ">=2.5.0rc0,<2.5.1", ">=2.4.0rc0,<2.4.3"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37666: In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in 'tf.raw_ops.RaggedTensorToVariant'. The implementation (https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/ragged_tensor_to_variant_op.cc#L129) has an incomplete validation of the splits values, missing the case when the argument would be empty. The Tensorflow team has patched the issue in GitHub commit be7a4de6adfbd303ce08be4332554dff70362612.", "transitive": false, "more_info_path": "/v/41141/f17", "id": "pyup.io-41141", "type": "cve", "cve": "CVE-2021-37666"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36018: 'CHECK' fail in 'RaggedTensorToVariant'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-m6cv-4fmf-66xf", "transitive": false, "more_info_path": "/v/51102/f17", "id": "pyup.io-51102", "type": "cve", "cve": "CVE-2022-36018"}, {"specs": ["<2.5.3", ">=2.6.0a0,<2.6.3", ">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21731: The implementation of shape inference for 'ConcatV2' can be used to trigger a denial of service attack via a segfault caused by a type confusion. The 'axis' argument is translated into 'concat_dim' in the 'ConcatShapeHelper' helper function. Then, a value for 'min_rank' is computed based on 'concat_dim'. This is then used to validate that the 'values' tensor has at least the required rank. However, 'WithRankAtLeast' receives the lower bound as a 64-bits value and then compares it against the maximum 32-bits integer value that could be represented. Due to the fact that 'min_rank' is a 32-bits value and the value of 'axis', the 'rank' argument is a negative value, so the error check is bypassed.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-m4hf-j54p-p353", "transitive": false, "more_info_path": "/v/44783/f17", "id": "pyup.io-44783", "type": "cve", "cve": "CVE-2022-21731"}, {"specs": [">=2.10.0rc0,<2.10.1"], "advisory": "Tensorflow 2.10.1 includes a fix for CVE-2022-41883: When ops that have specified input sizes receive a differing number of inputs, the executor will crash.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-w58w-79xv-6vcj", "transitive": false, "more_info_path": "/v/51942/f17", "id": "pyup.io-51942", "type": "cve", "cve": "CVE-2022-41883"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-35989: 'CHECK' fail in 'MaxPool'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-j43h-pgmg-5hjq", "transitive": false, "more_info_path": "/v/51078/f17", "id": "pyup.io-51078", "type": "cve", "cve": "CVE-2022-35989"}, {"specs": [">=2.3.0rc0,<2.3.4", ">=2.4.0rc0,<2.4.3", ">=2.5.0rc0,<2.5.1", ">=2.6.0rc0,<2.6.0"], "advisory": "TensorFlow 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37642: In affected versions the implementation of 'tf.raw_ops.ResourceScatterDiv' is vulnerable to a division by 0 error. The implementation (https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/resource_variable_ops.cc#L865) uses a common class for all binary operations but fails to treat the division by 0 case separately. The Tensorflow team has patched the issue in GitHub commit 4aacb30888638da75023e6601149415b39763d76.", "transitive": false, "more_info_path": "/v/41117/f17", "id": "pyup.io-41117", "type": "cve", "cve": "CVE-2021-37642"}, {"specs": ["<2.4.4", ">=2.5.0rc0,<2.5.2", ">=2.6.0rc0,<2.6.1"], "advisory": "Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41198: In affected versions, if 'tf.tile' is called with a large input argument, then the TensorFlow process will crash due to a 'CHECK'-failure caused by an overflow. The number of elements in the output tensor is too much for the 'int64_t' type and the overflow is detected via a 'CHECK' statement. This aborts the process. The fix is included in TensorFlow 2.7.0.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-2p25-55c9-h58q", "transitive": false, "more_info_path": "/v/42445/f17", "id": "pyup.io-42445", "type": "cve", "cve": "CVE-2021-41198"}, {"specs": [">=2.7.0a0,<2.7.1", ">=2.8.0a0,<2.8.0"], "advisory": "Tensorflow is an Open Source Machine Learning Framework. The TFG dialect of TensorFlow (MLIR) makes several assumptions about the incoming `GraphDef` before converting it to the MLIR-based dialect. If an attacker changes the `SavedModel` format on disk to invalidate these assumptions and the `GraphDef` is then converted to MLIR-based IR then they can cause a crash in the Python interpreter. Under certain scenarios, heap OOB read/writes are possible. These issues have been discovered via fuzzing and it is possible that more weaknesses exist. We will patch them as they are discovered.", "transitive": false, "more_info_path": "/v/44879/f17", "id": "pyup.io-44879", "type": "cve", "cve": "CVE-2022-23594"}, {"specs": ["<2.7.4", ">=2.8.0rc0,<2.8.3", ">=2.9.0rc0,<2.9.2"], "advisory": "TensorFlow 2.7.4, 2.8.3 and 2.9.2 include a fix for CVE-2022-36005: 'CHECK' fail in 'FakeQuantWithMinMaxVarsGradient'.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-r26c-679w-mrjm", "transitive": false, "more_info_path": "/v/51094/f17", "id": "pyup.io-51094", "type": "cve", "cve": "CVE-2022-36005"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-27579: Constructing a tflite model with a paramater 'filter_input_channel' of less than 1 gives a FPE.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-5w96-866f-6rm8", "transitive": false, "more_info_path": "/v/53864/f17", "id": "pyup.io-53864", "type": "cve", "cve": "CVE-2023-27579"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25671: There is out-of-bounds access due to mismatched integer type sizes.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-j5w9-hmfh-4cr6", "transitive": false, "more_info_path": "/v/53857/f17", "id": "pyup.io-53857", "type": "cve", "cve": "CVE-2023-25671"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25670: Versions prior to 2.12.0 and 2.11.1 have a null point error in QuantizedMatMulWithBiasAndDequantize with MKL enabled.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-49rq-hwc3-x77w", "transitive": false, "more_info_path": "/v/53856/f17", "id": "pyup.io-53856", "type": "cve", "cve": "CVE-2023-25670"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25669: Prior to versions 2.12.0 and 2.11.1, if the stride and window size are not positive for 'tf.raw_ops.AvgPoolGrad', it can give a floating point exception.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-rcf8-g8jv-vg6p", "transitive": false, "more_info_path": "/v/53855/f17", "id": "pyup.io-53855", "type": "cve", "cve": "CVE-2023-25669"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25668: Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-gw97-ff7c-9v96", "transitive": false, "more_info_path": "/v/53854/f17", "id": "pyup.io-53854", "type": "cve", "cve": "CVE-2023-25668"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25664: Prior to versions 2.12.0 and 2.11.1, there is a heap buffer overflow in TAvgPoolGrad.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-6hg6-5c2q-7rcr", "transitive": false, "more_info_path": "/v/53850/f17", "id": "pyup.io-53850", "type": "cve", "cve": "CVE-2023-25664"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25663: Prior to versions 2.12.0 and 2.11.1, when 'ctx->step_containter()' is a null ptr, the Lookup function will be executed with a null pointer.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-64jg-wjww-7c5w", "transitive": false, "more_info_path": "/v/53849/f17", "id": "pyup.io-53849", "type": "cve", "cve": "CVE-2023-25663"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25662: Versions prior to 2.12.0 and 2.11.1 are vulnerable to integer overflow in EditDistance.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-7jvm-xxmr-v5cw", "transitive": false, "more_info_path": "/v/53848/f17", "id": "pyup.io-53848", "type": "cve", "cve": "CVE-2023-25662"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25660: Prior to versions 2.12.0 and 2.11.1, when the parameter 'summarize' of 'tf.raw_ops.Print' is zero, the new method 'SummarizeArray<bool>' will reference to a nullptr, leading to a seg fault.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-qjqc-vqcf-5qvj", "transitive": false, "more_info_path": "/v/53847/f17", "id": "pyup.io-53847", "type": "cve", "cve": "CVE-2023-25660"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25659: Prior to versions 2.12.0 and 2.11.1, if the parameter 'indices' for 'DynamicStitch' does not match the shape of the parameter 'data', it can trigger an stack OOB read.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-93vr-9q9m-pj8p", "transitive": false, "more_info_path": "/v/53846/f17", "id": "pyup.io-53846", "type": "cve", "cve": "CVE-2023-25659"}, {"specs": ["<2.11.1", ">=2.12.0rc0,<2.12.0"], "advisory": "Tensorflow 2.11.1 and 2.12.0 include a fix for CVE-2023-25658: Prior to versions 2.12.0 and 2.11.1, an out of bounds read is in GRUBlockCellGrad.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-68v3-g9cm-rmm6", "transitive": false, "more_info_path": "/v/53845/f17", "id": "pyup.io-53845", "type": "cve", "cve": "CVE-2023-25658"}], "chia": [{"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46814/f17", "id": "pyup.io-46814", "type": "cve", "cve": "CVE-2021-41213"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44344/f17", "id": "pyup.io-44344", "type": "cve", "cve": "CVE-2021-37652"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46858/f17", "id": "pyup.io-46858", "type": "cve", "cve": "CVE-2022-23568"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44382/f17", "id": "pyup.io-44382", "type": "cve", "cve": "CVE-2021-37690"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44334/f17", "id": "pyup.io-44334", "type": "cve", "cve": "CVE-2021-37642"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44370/f17", "id": "pyup.io-44370", "type": "cve", "cve": "CVE-2021-37678"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44319/f17", "id": "pyup.io-44319", "type": "cve", "cve": "CVE-2021-29612"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44373/f17", "id": "pyup.io-44373", "type": "cve", "cve": "CVE-2021-37681"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44379/f17", "id": "pyup.io-44379", "type": "cve", "cve": "CVE-2021-37687"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44234/f17", "id": "pyup.io-44234", "type": "cve", "cve": "CVE-2021-29529"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46815/f17", "id": "pyup.io-46815", "type": "cve", "cve": "CVE-2021-41214"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46821/f17", "id": "pyup.io-46821", "type": "cve", "cve": "CVE-2021-41220"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46824/f17", "id": "pyup.io-46824", "type": "cve", "cve": "CVE-2021-41223"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46825/f17", "id": "pyup.io-46825", "type": "cve", "cve": "CVE-2021-41224"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44259/f17", "id": "pyup.io-44259", "type": "cve", "cve": "CVE-2021-29554"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46827/f17", "id": "pyup.io-46827", "type": "cve", "cve": "CVE-2021-41226"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46828/f17", "id": "pyup.io-46828", "type": "cve", "cve": "CVE-2021-41227"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46830/f17", "id": "pyup.io-46830", "type": "cve", "cve": "CVE-2022-21725"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46834/f17", "id": "pyup.io-46834", "type": "cve", "cve": "CVE-2022-21729"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46835/f17", "id": "pyup.io-46835", "type": "cve", "cve": "CVE-2022-21730"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44275/f17", "id": "pyup.io-44275", "type": "cve", "cve": "CVE-2021-29569"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44280/f17", "id": "pyup.io-44280", "type": "cve", "cve": "CVE-2021-29573"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46837/f17", "id": "pyup.io-46837", "type": "cve", "cve": "CVE-2022-21732"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44362/f17", "id": "pyup.io-44362", "type": "cve", "cve": "CVE-2021-37670"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46838/f17", "id": "pyup.io-46838", "type": "cve", "cve": "CVE-2022-21733"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44316/f17", "id": "pyup.io-44316", "type": "cve", "cve": "CVE-2021-29609"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44329/f17", "id": "pyup.io-44329", "type": "cve", "cve": "CVE-2021-37637"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44315/f17", "id": "pyup.io-44315", "type": "cve", "cve": "CVE-2021-29608"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46877/f17", "id": "pyup.io-46877", "type": "cve", "cve": "CVE-2022-23587"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46879/f17", "id": "pyup.io-46879", "type": "cve", "cve": "CVE-2022-23589"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44333/f17", "id": "pyup.io-44333", "type": "cve", "cve": "CVE-2021-37641"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46881/f17", "id": "pyup.io-46881", "type": "cve", "cve": "CVE-2022-23595"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46820/f17", "id": "pyup.io-46820", "type": "cve", "cve": "CVE-2021-41219"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46822/f17", "id": "pyup.io-46822", "type": "cve", "cve": "CVE-2021-41221"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46823/f17", "id": "pyup.io-46823", "type": "cve", "cve": "CVE-2021-41222"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46826/f17", "id": "pyup.io-46826", "type": "cve", "cve": "CVE-2021-41225"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46831/f17", "id": "pyup.io-46831", "type": "cve", "cve": "CVE-2022-21726"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46829/f17", "id": "pyup.io-46829", "type": "cve", "cve": "CVE-2021-41228"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46832/f17", "id": "pyup.io-46832", "type": "cve", "cve": "CVE-2022-21727"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46833/f17", "id": "pyup.io-46833", "type": "cve", "cve": "CVE-2022-21728"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46836/f17", "id": "pyup.io-46836", "type": "cve", "cve": "CVE-2022-21731"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46839/f17", "id": "pyup.io-46839", "type": "cve", "cve": "CVE-2022-21734"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46841/f17", "id": "pyup.io-46841", "type": "cve", "cve": "CVE-2022-21736"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46840/f17", "id": "pyup.io-46840", "type": "cve", "cve": "CVE-2022-21735"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46842/f17", "id": "pyup.io-46842", "type": "cve", "cve": "CVE-2022-21737"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46843/f17", "id": "pyup.io-46843", "type": "cve", "cve": "CVE-2022-21738"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46844/f17", "id": "pyup.io-46844", "type": "cve", "cve": "CVE-2022-21739"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46845/f17", "id": "pyup.io-46845", "type": "cve", "cve": "CVE-2022-21740"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46846/f17", "id": "pyup.io-46846", "type": "cve", "cve": "CVE-2022-21741"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44354/f17", "id": "pyup.io-44354", "type": "cve", "cve": "CVE-2021-37662"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46847/f17", "id": "pyup.io-46847", "type": "cve", "cve": "CVE-2022-23557"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46848/f17", "id": "pyup.io-46848", "type": "cve", "cve": "CVE-2022-23558"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46849/f17", "id": "pyup.io-46849", "type": "cve", "cve": "CVE-2022-23559"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44357/f17", "id": "pyup.io-44357", "type": "cve", "cve": "CVE-2021-37665"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46850/f17", "id": "pyup.io-46850", "type": "cve", "cve": "CVE-2022-23560"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46851/f17", "id": "pyup.io-46851", "type": "cve", "cve": "CVE-2022-23561"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46852/f17", "id": "pyup.io-46852", "type": "cve", "cve": "CVE-2022-23562"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46853/f17", "id": "pyup.io-46853", "type": "cve", "cve": "CVE-2022-23563"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46854/f17", "id": "pyup.io-46854", "type": "cve", "cve": "CVE-2022-23564"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46855/f17", "id": "pyup.io-46855", "type": "cve", "cve": "CVE-2022-23565"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46856/f17", "id": "pyup.io-46856", "type": "cve", "cve": "CVE-2022-23566"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46857/f17", "id": "pyup.io-46857", "type": "cve", "cve": "CVE-2022-23567"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46859/f17", "id": "pyup.io-46859", "type": "cve", "cve": "CVE-2022-23569"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46860/f17", "id": "pyup.io-46860", "type": "cve", "cve": "CVE-2022-23570"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46861/f17", "id": "pyup.io-46861", "type": "cve", "cve": "CVE-2022-23571"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46862/f17", "id": "pyup.io-46862", "type": "cve", "cve": "CVE-2022-23572"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44366/f17", "id": "pyup.io-44366", "type": "cve", "cve": "CVE-2021-37674"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46863/f17", "id": "pyup.io-46863", "type": "cve", "cve": "CVE-2022-23573"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46864/f17", "id": "pyup.io-46864", "type": "cve", "cve": "CVE-2022-23574"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46865/f17", "id": "pyup.io-46865", "type": "cve", "cve": "CVE-2022-23575"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46866/f17", "id": "pyup.io-46866", "type": "cve", "cve": "CVE-2022-23576"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46867/f17", "id": "pyup.io-46867", "type": "cve", "cve": "CVE-2022-23577"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46868/f17", "id": "pyup.io-46868", "type": "cve", "cve": "CVE-2022-23578"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46869/f17", "id": "pyup.io-46869", "type": "cve", "cve": "CVE-2022-23579"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46870/f17", "id": "pyup.io-46870", "type": "cve", "cve": "CVE-2022-23580"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46871/f17", "id": "pyup.io-46871", "type": "cve", "cve": "CVE-2022-23581"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46872/f17", "id": "pyup.io-46872", "type": "cve", "cve": "CVE-2022-23582"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46873/f17", "id": "pyup.io-46873", "type": "cve", "cve": "CVE-2022-23583"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46874/f17", "id": "pyup.io-46874", "type": "cve", "cve": "CVE-2022-23584"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46875/f17", "id": "pyup.io-46875", "type": "cve", "cve": "CVE-2022-23585"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46876/f17", "id": "pyup.io-46876", "type": "cve", "cve": "CVE-2022-23586"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46878/f17", "id": "pyup.io-46878", "type": "cve", "cve": "CVE-2022-23588"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46880/f17", "id": "pyup.io-46880", "type": "cve", "cve": "CVE-2022-23591"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46803/f17", "id": "pyup.io-46803", "type": "cve", "cve": "CVE-2021-41202"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46812/f17", "id": "pyup.io-46812", "type": "cve", "cve": "CVE-2021-41211"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46819/f17", "id": "pyup.io-46819", "type": "cve", "cve": "CVE-2021-41218"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44335/f17", "id": "pyup.io-44335", "type": "cve", "cve": "CVE-2021-37643"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44337/f17", "id": "pyup.io-44337", "type": "cve", "cve": "CVE-2021-37645"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44346/f17", "id": "pyup.io-44346", "type": "cve", "cve": "CVE-2021-37654"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44347/f17", "id": "pyup.io-44347", "type": "cve", "cve": "CVE-2021-37655"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44320/f17", "id": "pyup.io-44320", "type": "cve", "cve": "CVE-2021-29613"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44255/f17", "id": "pyup.io-44255", "type": "cve", "cve": "CVE-2021-29550"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44188/f17", "id": "pyup.io-44188", "type": "cve", "cve": "CVE-2020-15202"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44365/f17", "id": "pyup.io-44365", "type": "cve", "cve": "CVE-2021-37673"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44381/f17", "id": "pyup.io-44381", "type": "cve", "cve": "CVE-2021-37689"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44267/f17", "id": "pyup.io-44267", "type": "cve", "cve": "CVE-2021-29562"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44268/f17", "id": "pyup.io-44268", "type": "cve", "cve": "CVE-2021-29563"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44260/f17", "id": "pyup.io-44260", "type": "cve", "cve": "CVE-2021-29555"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44269/f17", "id": "pyup.io-44269", "type": "cve", "cve": "CVE-2021-29564"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44270/f17", "id": "pyup.io-44270", "type": "cve", "cve": "CVE-2021-29565"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44273/f17", "id": "pyup.io-44273", "type": "cve", "cve": "CVE-2021-29569"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44197/f17", "id": "pyup.io-44197", "type": "cve", "cve": "CVE-2020-15211"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44198/f17", "id": "pyup.io-44198", "type": "cve", "cve": "CVE-2020-15212"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44285/f17", "id": "pyup.io-44285", "type": "cve", "cve": "CVE-2021-29578"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44290/f17", "id": "pyup.io-44290", "type": "cve", "cve": "CVE-2021-29583"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44294/f17", "id": "pyup.io-44294", "type": "cve", "cve": "CVE-2021-29587"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44245/f17", "id": "pyup.io-44245", "type": "cve", "cve": "CVE-2021-29540"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44296/f17", "id": "pyup.io-44296", "type": "cve", "cve": "CVE-2021-29589"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44262/f17", "id": "pyup.io-44262", "type": "cve", "cve": "CVE-2021-29557"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44263/f17", "id": "pyup.io-44263", "type": "cve", "cve": "CVE-2021-29558"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44266/f17", "id": "pyup.io-44266", "type": "cve", "cve": "CVE-2021-29561"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44312/f17", "id": "pyup.io-44312", "type": "cve", "cve": "CVE-2021-29605"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44322/f17", "id": "pyup.io-44322", "type": "cve", "cve": "CVE-2021-29615"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44326/f17", "id": "pyup.io-44326", "type": "cve", "cve": "CVE-2021-29619"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44348/f17", "id": "pyup.io-44348", "type": "cve", "cve": "CVE-2021-37656"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44352/f17", "id": "pyup.io-44352", "type": "cve", "cve": "CVE-2021-37660"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44272/f17", "id": "pyup.io-44272", "type": "cve", "cve": "CVE-2021-29568"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44214/f17", "id": "pyup.io-44214", "type": "cve", "cve": "CVE-2021-22876"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44274/f17", "id": "pyup.io-44274", "type": "cve", "cve": "CVE-2021-29570"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44288/f17", "id": "pyup.io-44288", "type": "cve", "cve": "CVE-2021-29581"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44293/f17", "id": "pyup.io-44293", "type": "cve", "cve": "CVE-2021-29586"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44305/f17", "id": "pyup.io-44305", "type": "cve", "cve": "CVE-2021-29598"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44307/f17", "id": "pyup.io-44307", "type": "cve", "cve": "CVE-2021-29600"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44311/f17", "id": "pyup.io-44311", "type": "cve", "cve": "CVE-2021-29604"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44286/f17", "id": "pyup.io-44286", "type": "cve", "cve": "CVE-2021-29579"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44289/f17", "id": "pyup.io-44289", "type": "cve", "cve": "CVE-2021-29582"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44241/f17", "id": "pyup.io-44241", "type": "cve", "cve": "CVE-2021-29536"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44190/f17", "id": "pyup.io-44190", "type": "cve", "cve": "CVE-2020-15204"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44292/f17", "id": "pyup.io-44292", "type": "cve", "cve": "CVE-2021-29585"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44324/f17", "id": "pyup.io-44324", "type": "cve", "cve": "CVE-2021-29617"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44327/f17", "id": "pyup.io-44327", "type": "cve", "cve": "CVE-2021-37635"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44299/f17", "id": "pyup.io-44299", "type": "cve", "cve": "CVE-2021-29592"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44301/f17", "id": "pyup.io-44301", "type": "cve", "cve": "CVE-2021-29594"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44300/f17", "id": "pyup.io-44300", "type": "cve", "cve": "CVE-2021-29593"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44256/f17", "id": "pyup.io-44256", "type": "cve", "cve": "CVE-2021-29551"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44258/f17", "id": "pyup.io-44258", "type": "cve", "cve": "CVE-2021-29553"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44261/f17", "id": "pyup.io-44261", "type": "cve", "cve": "CVE-2021-29556"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44264/f17", "id": "pyup.io-44264", "type": "cve", "cve": "CVE-2021-29559"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44265/f17", "id": "pyup.io-44265", "type": "cve", "cve": "CVE-2021-29560"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44278/f17", "id": "pyup.io-44278", "type": "cve", "cve": "CVE-2021-29571"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44279/f17", "id": "pyup.io-44279", "type": "cve", "cve": "CVE-2021-29572"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44284/f17", "id": "pyup.io-44284", "type": "cve", "cve": "CVE-2021-29577"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44295/f17", "id": "pyup.io-44295", "type": "cve", "cve": "CVE-2021-29588"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44283/f17", "id": "pyup.io-44283", "type": "cve", "cve": "CVE-2021-29576"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44302/f17", "id": "pyup.io-44302", "type": "cve", "cve": "CVE-2021-29595"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44306/f17", "id": "pyup.io-44306", "type": "cve", "cve": "CVE-2021-29599"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44308/f17", "id": "pyup.io-44308", "type": "cve", "cve": "CVE-2021-29601"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44309/f17", "id": "pyup.io-44309", "type": "cve", "cve": "CVE-2021-29602"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44313/f17", "id": "pyup.io-44313", "type": "cve", "cve": "CVE-2021-29606"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44318/f17", "id": "pyup.io-44318", "type": "cve", "cve": "CVE-2021-29611"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44325/f17", "id": "pyup.io-44325", "type": "cve", "cve": "CVE-2021-29618"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44328/f17", "id": "pyup.io-44328", "type": "cve", "cve": "CVE-2021-37636"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44332/f17", "id": "pyup.io-44332", "type": "cve", "cve": "CVE-2021-37640"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44353/f17", "id": "pyup.io-44353", "type": "cve", "cve": "CVE-2021-37661"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44358/f17", "id": "pyup.io-44358", "type": "cve", "cve": "CVE-2021-37666"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44291/f17", "id": "pyup.io-44291", "type": "cve", "cve": "CVE-2021-29584"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44361/f17", "id": "pyup.io-44361", "type": "cve", "cve": "CVE-2021-37669"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44380/f17", "id": "pyup.io-44380", "type": "cve", "cve": "CVE-2021-37688"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44287/f17", "id": "pyup.io-44287", "type": "cve", "cve": "CVE-2021-29580"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44303/f17", "id": "pyup.io-44303", "type": "cve", "cve": "CVE-2021-29596"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44304/f17", "id": "pyup.io-44304", "type": "cve", "cve": "CVE-2021-29597"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44298/f17", "id": "pyup.io-44298", "type": "cve", "cve": "CVE-2021-29591"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44356/f17", "id": "pyup.io-44356", "type": "cve", "cve": "CVE-2021-37664"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44374/f17", "id": "pyup.io-44374", "type": "cve", "cve": "CVE-2021-37682"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44194/f17", "id": "pyup.io-44194", "type": "cve", "cve": "CVE-2020-15208"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44253/f17", "id": "pyup.io-44253", "type": "cve", "cve": "CVE-2021-29548"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44176/f17", "id": "pyup.io-44176", "type": "cve", "cve": "CVE-2020-15190"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44177/f17", "id": "pyup.io-44177", "type": "cve", "cve": "CVE-2020-15191"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44180/f17", "id": "pyup.io-44180", "type": "cve", "cve": "CVE-2020-15194"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44189/f17", "id": "pyup.io-44189", "type": "cve", "cve": "CVE-2020-15203"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44192/f17", "id": "pyup.io-44192", "type": "cve", "cve": "CVE-2020-15206"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44202/f17", "id": "pyup.io-44202", "type": "cve", "cve": "CVE-2020-15266"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44221/f17", "id": "pyup.io-44221", "type": "cve", "cve": "CVE-2021-29516"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44224/f17", "id": "pyup.io-44224", "type": "cve", "cve": "CVE-2021-29519"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44229/f17", "id": "pyup.io-44229", "type": "cve", "cve": "CVE-2021-29524"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44235/f17", "id": "pyup.io-44235", "type": "cve", "cve": "CVE-2021-29530"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44238/f17", "id": "pyup.io-44238", "type": "cve", "cve": "CVE-2021-29533"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44240/f17", "id": "pyup.io-44240", "type": "cve", "cve": "CVE-2021-29535"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44242/f17", "id": "pyup.io-44242", "type": "cve", "cve": "CVE-2021-29537"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44244/f17", "id": "pyup.io-44244", "type": "cve", "cve": "CVE-2021-29539"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44254/f17", "id": "pyup.io-44254", "type": "cve", "cve": "CVE-2021-29549"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44330/f17", "id": "pyup.io-44330", "type": "cve", "cve": "CVE-2021-37638"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44310/f17", "id": "pyup.io-44310", "type": "cve", "cve": "CVE-2021-29603"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44216/f17", "id": "pyup.io-44216", "type": "cve", "cve": "CVE-2021-22898"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44314/f17", "id": "pyup.io-44314", "type": "cve", "cve": "CVE-2021-29607"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44323/f17", "id": "pyup.io-44323", "type": "cve", "cve": "CVE-2021-29616"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44257/f17", "id": "pyup.io-44257", "type": "cve", "cve": "CVE-2021-29552"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44271/f17", "id": "pyup.io-44271", "type": "cve", "cve": "CVE-2021-29566"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44276/f17", "id": "pyup.io-44276", "type": "cve", "cve": "CVE-2021-29570"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44277/f17", "id": "pyup.io-44277", "type": "cve", "cve": "CVE-2021-29569"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44281/f17", "id": "pyup.io-44281", "type": "cve", "cve": "CVE-2021-29574"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44282/f17", "id": "pyup.io-44282", "type": "cve", "cve": "CVE-2021-29575"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44331/f17", "id": "pyup.io-44331", "type": "cve", "cve": "CVE-2021-37639"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44336/f17", "id": "pyup.io-44336", "type": "cve", "cve": "CVE-2021-37644"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44338/f17", "id": "pyup.io-44338", "type": "cve", "cve": "CVE-2021-37646"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44339/f17", "id": "pyup.io-44339", "type": "cve", "cve": "CVE-2021-37647"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44340/f17", "id": "pyup.io-44340", "type": "cve", "cve": "CVE-2021-37648"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44341/f17", "id": "pyup.io-44341", "type": "cve", "cve": "CVE-2021-37649"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44342/f17", "id": "pyup.io-44342", "type": "cve", "cve": "CVE-2021-37650"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44343/f17", "id": "pyup.io-44343", "type": "cve", "cve": "CVE-2021-37651"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44345/f17", "id": "pyup.io-44345", "type": "cve", "cve": "CVE-2021-37653"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44349/f17", "id": "pyup.io-44349", "type": "cve", "cve": "CVE-2021-37657"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44350/f17", "id": "pyup.io-44350", "type": "cve", "cve": "CVE-2021-37658"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44351/f17", "id": "pyup.io-44351", "type": "cve", "cve": "CVE-2021-37659"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44355/f17", "id": "pyup.io-44355", "type": "cve", "cve": "CVE-2021-37663"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44359/f17", "id": "pyup.io-44359", "type": "cve", "cve": "CVE-2021-37667"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44360/f17", "id": "pyup.io-44360", "type": "cve", "cve": "CVE-2021-37668"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44363/f17", "id": "pyup.io-44363", "type": "cve", "cve": "CVE-2021-37671"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44364/f17", "id": "pyup.io-44364", "type": "cve", "cve": "CVE-2021-37672"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44367/f17", "id": "pyup.io-44367", "type": "cve", "cve": "CVE-2021-37675"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44368/f17", "id": "pyup.io-44368", "type": "cve", "cve": "CVE-2021-37676"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44369/f17", "id": "pyup.io-44369", "type": "cve", "cve": "CVE-2021-37677"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44371/f17", "id": "pyup.io-44371", "type": "cve", "cve": "CVE-2021-37679"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44372/f17", "id": "pyup.io-44372", "type": "cve", "cve": "CVE-2021-37680"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44375/f17", "id": "pyup.io-44375", "type": "cve", "cve": "CVE-2021-37683"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44376/f17", "id": "pyup.io-44376", "type": "cve", "cve": "CVE-2021-37684"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44377/f17", "id": "pyup.io-44377", "type": "cve", "cve": "CVE-2021-37685"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44378/f17", "id": "pyup.io-44378", "type": "cve", "cve": "CVE-2021-37686"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44383/f17", "id": "pyup.io-44383", "type": "cve", "cve": "CVE-2021-37691"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44181/f17", "id": "pyup.io-44181", "type": "cve", "cve": "CVE-2020-15195"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44195/f17", "id": "pyup.io-44195", "type": "cve", "cve": "CVE-2020-15209"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44208/f17", "id": "pyup.io-44208", "type": "cve", "cve": "CVE-2020-26271"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44222/f17", "id": "pyup.io-44222", "type": "cve", "cve": "CVE-2021-29517"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44223/f17", "id": "pyup.io-44223", "type": "cve", "cve": "CVE-2021-29518"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44228/f17", "id": "pyup.io-44228", "type": "cve", "cve": "CVE-2021-29523"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44231/f17", "id": "pyup.io-44231", "type": "cve", "cve": "CVE-2021-29526"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44239/f17", "id": "pyup.io-44239", "type": "cve", "cve": "CVE-2021-29534"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44213/f17", "id": "pyup.io-44213", "type": "cve", "cve": "CVE-2020-8286"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44178/f17", "id": "pyup.io-44178", "type": "cve", "cve": "CVE-2020-15192"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44179/f17", "id": "pyup.io-44179", "type": "cve", "cve": "CVE-2020-15193"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44182/f17", "id": "pyup.io-44182", "type": "cve", "cve": "CVE-2020-15196"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44183/f17", "id": "pyup.io-44183", "type": "cve", "cve": "CVE-2020-15197"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44184/f17", "id": "pyup.io-44184", "type": "cve", "cve": "CVE-2020-15198"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44185/f17", "id": "pyup.io-44185", "type": "cve", "cve": "CVE-2020-15199"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44186/f17", "id": "pyup.io-44186", "type": "cve", "cve": "CVE-2020-15200"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44187/f17", "id": "pyup.io-44187", "type": "cve", "cve": "CVE-2020-15201"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44191/f17", "id": "pyup.io-44191", "type": "cve", "cve": "CVE-2020-15205"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44193/f17", "id": "pyup.io-44193", "type": "cve", "cve": "CVE-2020-15207"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44196/f17", "id": "pyup.io-44196", "type": "cve", "cve": "CVE-2020-15210"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44199/f17", "id": "pyup.io-44199", "type": "cve", "cve": "CVE-2020-15213"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44200/f17", "id": "pyup.io-44200", "type": "cve", "cve": "CVE-2020-15214"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44204/f17", "id": "pyup.io-44204", "type": "cve", "cve": "CVE-2020-26266"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44201/f17", "id": "pyup.io-44201", "type": "cve", "cve": "CVE-2020-15265"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44205/f17", "id": "pyup.io-44205", "type": "cve", "cve": "CVE-2020-26267"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44206/f17", "id": "pyup.io-44206", "type": "cve", "cve": "CVE-2020-26268"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44207/f17", "id": "pyup.io-44207", "type": "cve", "cve": "CVE-2020-26270"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44218/f17", "id": "pyup.io-44218", "type": "cve", "cve": "CVE-2021-29513"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44219/f17", "id": "pyup.io-44219", "type": "cve", "cve": "CVE-2021-29514"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44220/f17", "id": "pyup.io-44220", "type": "cve", "cve": "CVE-2021-29515"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44211/f17", "id": "pyup.io-44211", "type": "cve", "cve": "CVE-2020-8231"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44226/f17", "id": "pyup.io-44226", "type": "cve", "cve": "CVE-2021-29521"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44227/f17", "id": "pyup.io-44227", "type": "cve", "cve": "CVE-2021-29522"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44230/f17", "id": "pyup.io-44230", "type": "cve", "cve": "CVE-2021-29525"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44232/f17", "id": "pyup.io-44232", "type": "cve", "cve": "CVE-2021-29527"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44233/f17", "id": "pyup.io-44233", "type": "cve", "cve": "CVE-2021-29528"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44236/f17", "id": "pyup.io-44236", "type": "cve", "cve": "CVE-2021-29531"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44237/f17", "id": "pyup.io-44237", "type": "cve", "cve": "CVE-2021-29532"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44243/f17", "id": "pyup.io-44243", "type": "cve", "cve": "CVE-2021-29538"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44246/f17", "id": "pyup.io-44246", "type": "cve", "cve": "CVE-2021-29541"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44250/f17", "id": "pyup.io-44250", "type": "cve", "cve": "CVE-2021-29545"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44248/f17", "id": "pyup.io-44248", "type": "cve", "cve": "CVE-2021-29543"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44249/f17", "id": "pyup.io-44249", "type": "cve", "cve": "CVE-2021-29544"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44251/f17", "id": "pyup.io-44251", "type": "cve", "cve": "CVE-2021-29546"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44252/f17", "id": "pyup.io-44252", "type": "cve", "cve": "CVE-2021-29547"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44210/f17", "id": "pyup.io-44210", "type": "cve", "cve": "CVE-2020-8177"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44297/f17", "id": "pyup.io-44297", "type": "cve", "cve": "CVE-2021-29590"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44321/f17", "id": "pyup.io-44321", "type": "cve", "cve": "CVE-2021-29614"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46796/f17", "id": "pyup.io-46796", "type": "cve", "cve": "CVE-2021-41195"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46797/f17", "id": "pyup.io-46797", "type": "cve", "cve": "CVE-2021-41196"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46798/f17", "id": "pyup.io-46798", "type": "cve", "cve": "CVE-2021-41197"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46801/f17", "id": "pyup.io-46801", "type": "cve", "cve": "CVE-2021-41200"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46799/f17", "id": "pyup.io-46799", "type": "cve", "cve": "CVE-2021-41198"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46800/f17", "id": "pyup.io-46800", "type": "cve", "cve": "CVE-2021-41199"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46802/f17", "id": "pyup.io-46802", "type": "cve", "cve": "CVE-2021-41201"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46805/f17", "id": "pyup.io-46805", "type": "cve", "cve": "CVE-2021-41204"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46804/f17", "id": "pyup.io-46804", "type": "cve", "cve": "CVE-2021-41203"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46806/f17", "id": "pyup.io-46806", "type": "cve", "cve": "CVE-2021-41205"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46807/f17", "id": "pyup.io-46807", "type": "cve", "cve": "CVE-2021-41206"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46808/f17", "id": "pyup.io-46808", "type": "cve", "cve": "CVE-2021-41207"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46809/f17", "id": "pyup.io-46809", "type": "cve", "cve": "CVE-2021-41208"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46810/f17", "id": "pyup.io-46810", "type": "cve", "cve": "CVE-2021-41209"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46811/f17", "id": "pyup.io-46811", "type": "cve", "cve": "CVE-2021-41210"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46813/f17", "id": "pyup.io-46813", "type": "cve", "cve": "CVE-2021-41212"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46816/f17", "id": "pyup.io-46816", "type": "cve", "cve": "CVE-2021-41215"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46817/f17", "id": "pyup.io-46817", "type": "cve", "cve": "CVE-2021-41216"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46818/f17", "id": "pyup.io-46818", "type": "cve", "cve": "CVE-2021-41217"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44247/f17", "id": "pyup.io-44247", "type": "cve", "cve": "CVE-2021-29542"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44225/f17", "id": "pyup.io-44225", "type": "cve", "cve": "CVE-2021-29520"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/41298/f17", "id": "pyup.io-41298", "type": "cve", "cve": "CVE-2019-20838"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44175/f17", "id": "pyup.io-44175", "type": "cve", "cve": "CVE-2020-14155"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44174/f17", "id": "pyup.io-44174", "type": "cve", "cve": "CVE-2020-13790"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44203/f17", "id": "pyup.io-44203", "type": "cve", "cve": "CVE-2020-15358"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44209/f17", "id": "pyup.io-44209", "type": "cve", "cve": "CVE-2020-8169"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44212/f17", "id": "pyup.io-44212", "type": "cve", "cve": "CVE-2020-8284"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44215/f17", "id": "pyup.io-44215", "type": "cve", "cve": "CVE-2021-22897"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44217/f17", "id": "pyup.io-44217", "type": "cve", "cve": "CVE-2021-22901"}, {"specs": ["<2.4.0"], "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "transitive": true, "more_info_path": "/v/44317/f17", "id": "pyup.io-44317", "type": "cve", "cve": "CVE-2021-29610"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46791/f17", "id": "pyup.io-46791", "type": "cve", "cve": "CVE-2020-10531"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46792/f17", "id": "pyup.io-46792", "type": "cve", "cve": "CVE-2021-22922"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46794/f17", "id": "pyup.io-46794", "type": "cve", "cve": "CVE-2021-22924"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46795/f17", "id": "pyup.io-46795", "type": "cve", "cve": "CVE-2021-22925"}, {"specs": ["<=2.5.0"], "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46793/f17", "id": "pyup.io-46793", "type": "cve", "cve": "CVE-2021-22923"}], "django-jet": [{"specs": ["<1.0.4"], "advisory": "Django-jet 1.0.4 fixes a security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.\r\nhttps://github.com/geex-arts/django-jet/commit/734f3521d8290f6162847ad0b5c33d8ab5e119a9", "transitive": false, "more_info_path": "/v/25769/f17", "id": "pyup.io-25769", "type": "pve", "cve": "PVE-2021-25769"}], "deepcell": [{"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48938/f17", "id": "pyup.io-48938", "type": "cve", "cve": "CVE-2021-41228"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48799/f17", "id": "pyup.io-48799", "type": "cve", "cve": "CVE-2021-29575"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48819/f17", "id": "pyup.io-48819", "type": "cve", "cve": "CVE-2021-29595"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48668/f17", "id": "pyup.io-48668", "type": "cve", "cve": "CVE-2018-19664"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48669/f17", "id": "pyup.io-48669", "type": "cve", "cve": "CVE-2018-20330"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48693/f17", "id": "pyup.io-48693", "type": "cve", "cve": "CVE-2020-15195"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48823/f17", "id": "pyup.io-48823", "type": "cve", "cve": "CVE-2021-29599"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48986/f17", "id": "pyup.io-48986", "type": "cve", "cve": "CVE-2022-23587"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48695/f17", "id": "pyup.io-48695", "type": "cve", "cve": "CVE-2020-15203"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48671/f17", "id": "pyup.io-48671", "type": "cve", "cve": "CVE-2019-13960"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48680/f17", "id": "pyup.io-48680", "type": "cve", "cve": "CVE-2019-5481"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48698/f17", "id": "pyup.io-48698", "type": "cve", "cve": "CVE-2020-15206"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48701/f17", "id": "pyup.io-48701", "type": "cve", "cve": "CVE-2020-15209"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48817/f17", "id": "pyup.io-48817", "type": "cve", "cve": "CVE-2021-29593"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48756/f17", "id": "pyup.io-48756", "type": "cve", "cve": "CVE-2021-29532"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48796/f17", "id": "pyup.io-48796", "type": "cve", "cve": "CVE-2021-29572"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48810/f17", "id": "pyup.io-48810", "type": "cve", "cve": "CVE-2021-29586"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48863/f17", "id": "pyup.io-48863", "type": "cve", "cve": "CVE-2021-37655"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48965/f17", "id": "pyup.io-48965", "type": "cve", "cve": "CVE-2022-23566"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48990/f17", "id": "pyup.io-48990", "type": "cve", "cve": "CVE-2022-23595"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48765/f17", "id": "pyup.io-48765", "type": "cve", "cve": "CVE-2021-29541"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48820/f17", "id": "pyup.io-48820", "type": "cve", "cve": "CVE-2021-29596"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48945/f17", "id": "pyup.io-48945", "type": "cve", "cve": "CVE-2022-21731"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48974/f17", "id": "pyup.io-48974", "type": "cve", "cve": "CVE-2022-23575"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48977/f17", "id": "pyup.io-48977", "type": "cve", "cve": "CVE-2022-23578"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48847/f17", "id": "pyup.io-48847", "type": "cve", "cve": "CVE-2021-37638"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48705/f17", "id": "pyup.io-48705", "type": "cve", "cve": "CVE-2020-26266"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48923/f17", "id": "pyup.io-48923", "type": "cve", "cve": "CVE-2021-41212"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48933/f17", "id": "pyup.io-48933", "type": "cve", "cve": "CVE-2021-41223"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48772/f17", "id": "pyup.io-48772", "type": "cve", "cve": "CVE-2021-29548"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48703/f17", "id": "pyup.io-48703", "type": "cve", "cve": "CVE-2020-15211"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48748/f17", "id": "pyup.io-48748", "type": "cve", "cve": "CVE-2021-29524"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48836/f17", "id": "pyup.io-48836", "type": "cve", "cve": "CVE-2021-29612"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48861/f17", "id": "pyup.io-48861", "type": "cve", "cve": "CVE-2021-37653"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48884/f17", "id": "pyup.io-48884", "type": "cve", "cve": "CVE-2021-37676"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48856/f17", "id": "pyup.io-48856", "type": "cve", "cve": "CVE-2021-37648"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48710/f17", "id": "pyup.io-48710", "type": "cve", "cve": "CVE-2020-5215"}, {"specs": ["<0.9"], "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48717/f17", "id": "pyup.io-48717", "type": "cve", "cve": "CVE-2020-15266"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48803/f17", "id": "pyup.io-48803", "type": "cve", "cve": "CVE-2021-29579"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48959/f17", "id": "pyup.io-48959", "type": "cve", "cve": "CVE-2022-23560"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48729/f17", "id": "pyup.io-48729", "type": "cve", "cve": "CVE-2020-8284"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48936/f17", "id": "pyup.io-48936", "type": "cve", "cve": "CVE-2021-41226"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48833/f17", "id": "pyup.io-48833", "type": "cve", "cve": "CVE-2021-29609"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48837/f17", "id": "pyup.io-48837", "type": "cve", "cve": "CVE-2021-29613"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48688/f17", "id": "pyup.io-48688", "type": "cve", "cve": "CVE-2020-13790"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48814/f17", "id": "pyup.io-48814", "type": "cve", "cve": "CVE-2021-29590"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48877/f17", "id": "pyup.io-48877", "type": "cve", "cve": "CVE-2021-37669"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48692/f17", "id": "pyup.io-48692", "type": "cve", "cve": "CVE-2020-15194"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48752/f17", "id": "pyup.io-48752", "type": "cve", "cve": "CVE-2021-29528"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48785/f17", "id": "pyup.io-48785", "type": "cve", "cve": "CVE-2021-29561"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48706/f17", "id": "pyup.io-48706", "type": "cve", "cve": "CVE-2020-26267"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48708/f17", "id": "pyup.io-48708", "type": "cve", "cve": "CVE-2020-26270"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48730/f17", "id": "pyup.io-48730", "type": "cve", "cve": "CVE-2020-8285"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48832/f17", "id": "pyup.io-48832", "type": "cve", "cve": "CVE-2021-29608"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48824/f17", "id": "pyup.io-48824", "type": "cve", "cve": "CVE-2021-29600"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48988/f17", "id": "pyup.io-48988", "type": "cve", "cve": "CVE-2022-23589"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48982/f17", "id": "pyup.io-48982", "type": "cve", "cve": "CVE-2022-23583"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48809/f17", "id": "pyup.io-48809", "type": "cve", "cve": "CVE-2021-29585"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48704/f17", "id": "pyup.io-48704", "type": "cve", "cve": "CVE-2020-15250"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48736/f17", "id": "pyup.io-48736", "type": "cve", "cve": "CVE-2021-29512"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48745/f17", "id": "pyup.io-48745", "type": "cve", "cve": "CVE-2021-29521"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48917/f17", "id": "pyup.io-48917", "type": "cve", "cve": "CVE-2021-41206"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48903/f17", "id": "pyup.io-48903", "type": "cve", "cve": "CVE-2021-22924"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48674/f17", "id": "pyup.io-48674", "type": "cve", "cve": "CVE-2019-16778"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48675/f17", "id": "pyup.io-48675", "type": "cve", "cve": "CVE-2019-19244"}, {"specs": ["<0.9"], "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48712/f17", "id": "pyup.io-48712", "type": "cve", "cve": "CVE-2019-20838"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48843/f17", "id": "pyup.io-48843", "type": "cve", "cve": "CVE-2021-29619"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48802/f17", "id": "pyup.io-48802", "type": "cve", "cve": "CVE-2021-29578"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48865/f17", "id": "pyup.io-48865", "type": "cve", "cve": "CVE-2021-37657"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48685/f17", "id": "pyup.io-48685", "type": "cve", "cve": "CVE-2020-13435"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48891/f17", "id": "pyup.io-48891", "type": "cve", "cve": "CVE-2021-37683"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48821/f17", "id": "pyup.io-48821", "type": "cve", "cve": "CVE-2021-29597"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48813/f17", "id": "pyup.io-48813", "type": "cve", "cve": "CVE-2021-29589"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48791/f17", "id": "pyup.io-48791", "type": "cve", "cve": "CVE-2021-29567"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48780/f17", "id": "pyup.io-48780", "type": "cve", "cve": "CVE-2021-29556"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48818/f17", "id": "pyup.io-48818", "type": "cve", "cve": "CVE-2021-29594"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48828/f17", "id": "pyup.io-48828", "type": "cve", "cve": "CVE-2021-29604"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48881/f17", "id": "pyup.io-48881", "type": "cve", "cve": "CVE-2021-37673"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48912/f17", "id": "pyup.io-48912", "type": "cve", "cve": "CVE-2021-41201"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48887/f17", "id": "pyup.io-48887", "type": "cve", "cve": "CVE-2021-37679"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48910/f17", "id": "pyup.io-48910", "type": "cve", "cve": "CVE-2021-41199"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48894/f17", "id": "pyup.io-48894", "type": "cve", "cve": "CVE-2021-37686"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48673/f17", "id": "pyup.io-48673", "type": "cve", "cve": "CVE-2019-16168"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48922/f17", "id": "pyup.io-48922", "type": "cve", "cve": "CVE-2021-41211"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48927/f17", "id": "pyup.io-48927", "type": "cve", "cve": "CVE-2021-41216"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48866/f17", "id": "pyup.io-48866", "type": "cve", "cve": "CVE-2021-37658"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48667/f17", "id": "pyup.io-48667", "type": "cve", "cve": "CVE-2018-17190"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48666/f17", "id": "pyup.io-48666", "type": "cve", "cve": "CVE-2018-11770"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48670/f17", "id": "pyup.io-48670", "type": "cve", "cve": "CVE-2019-10099"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48676/f17", "id": "pyup.io-48676", "type": "cve", "cve": "CVE-2019-19645"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48985/f17", "id": "pyup.io-48985", "type": "cve", "cve": "CVE-2022-23586"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48777/f17", "id": "pyup.io-48777", "type": "cve", "cve": "CVE-2021-29553"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48782/f17", "id": "pyup.io-48782", "type": "cve", "cve": "CVE-2021-29558"}, {"specs": ["<0.9"], "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48720/f17", "id": "pyup.io-48720", "type": "cve", "cve": "CVE-2020-26268"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48914/f17", "id": "pyup.io-48914", "type": "cve", "cve": "CVE-2021-41203"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48681/f17", "id": "pyup.io-48681", "type": "cve", "cve": "CVE-2019-5482"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48682/f17", "id": "pyup.io-48682", "type": "cve", "cve": "CVE-2020-11655"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48683/f17", "id": "pyup.io-48683", "type": "cve", "cve": "CVE-2020-11656"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48770/f17", "id": "pyup.io-48770", "type": "cve", "cve": "CVE-2021-29546"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48919/f17", "id": "pyup.io-48919", "type": "cve", "cve": "CVE-2021-41208"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48924/f17", "id": "pyup.io-48924", "type": "cve", "cve": "CVE-2021-41213"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48852/f17", "id": "pyup.io-48852", "type": "cve", "cve": "CVE-2021-37644"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48684/f17", "id": "pyup.io-48684", "type": "cve", "cve": "CVE-2020-13434"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48686/f17", "id": "pyup.io-48686", "type": "cve", "cve": "CVE-2020-13630"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48689/f17", "id": "pyup.io-48689", "type": "cve", "cve": "CVE-2020-13871"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48690/f17", "id": "pyup.io-48690", "type": "cve", "cve": "CVE-2020-14155"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48691/f17", "id": "pyup.io-48691", "type": "cve", "cve": "CVE-2020-15190"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48812/f17", "id": "pyup.io-48812", "type": "cve", "cve": "CVE-2021-29588"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48827/f17", "id": "pyup.io-48827", "type": "cve", "cve": "CVE-2021-29603"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48846/f17", "id": "pyup.io-48846", "type": "cve", "cve": "CVE-2021-37637"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48694/f17", "id": "pyup.io-48694", "type": "cve", "cve": "CVE-2020-15202"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48775/f17", "id": "pyup.io-48775", "type": "cve", "cve": "CVE-2021-29551"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48840/f17", "id": "pyup.io-48840", "type": "cve", "cve": "CVE-2021-29616"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48699/f17", "id": "pyup.io-48699", "type": "cve", "cve": "CVE-2020-15207"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48901/f17", "id": "pyup.io-48901", "type": "cve", "cve": "CVE-2021-22922"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48788/f17", "id": "pyup.io-48788", "type": "cve", "cve": "CVE-2021-29564"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48792/f17", "id": "pyup.io-48792", "type": "cve", "cve": "CVE-2021-29568"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48793/f17", "id": "pyup.io-48793", "type": "cve", "cve": "CVE-2021-29569"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48904/f17", "id": "pyup.io-48904", "type": "cve", "cve": "CVE-2021-22925"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48702/f17", "id": "pyup.io-48702", "type": "cve", "cve": "CVE-2020-15210"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48920/f17", "id": "pyup.io-48920", "type": "cve", "cve": "CVE-2021-41209"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48892/f17", "id": "pyup.io-48892", "type": "cve", "cve": "CVE-2021-37684"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48930/f17", "id": "pyup.io-48930", "type": "cve", "cve": "CVE-2021-41219"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48962/f17", "id": "pyup.io-48962", "type": "cve", "cve": "CVE-2022-23563"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48980/f17", "id": "pyup.io-48980", "type": "cve", "cve": "CVE-2022-23581"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48981/f17", "id": "pyup.io-48981", "type": "cve", "cve": "CVE-2022-23582"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48709/f17", "id": "pyup.io-48709", "type": "cve", "cve": "CVE-2020-26271"}, {"specs": ["<0.9"], "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48722/f17", "id": "pyup.io-48722", "type": "cve", "cve": "CVE-2020-26271"}, {"specs": ["<0.9"], "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48718/f17", "id": "pyup.io-48718", "type": "cve", "cve": "CVE-2020-26266"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48751/f17", "id": "pyup.io-48751", "type": "cve", "cve": "CVE-2021-29527"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48733/f17", "id": "pyup.io-48733", "type": "cve", "cve": "CVE-2021-22897"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48753/f17", "id": "pyup.io-48753", "type": "cve", "cve": "CVE-2021-29529"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48737/f17", "id": "pyup.io-48737", "type": "cve", "cve": "CVE-2021-29513"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48739/f17", "id": "pyup.io-48739", "type": "cve", "cve": "CVE-2021-29515"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48744/f17", "id": "pyup.io-48744", "type": "cve", "cve": "CVE-2021-29520"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48888/f17", "id": "pyup.io-48888", "type": "cve", "cve": "CVE-2021-37680"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48747/f17", "id": "pyup.io-48747", "type": "cve", "cve": "CVE-2021-29523"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48758/f17", "id": "pyup.io-48758", "type": "cve", "cve": "CVE-2021-29534"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48761/f17", "id": "pyup.io-48761", "type": "cve", "cve": "CVE-2021-29537"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48762/f17", "id": "pyup.io-48762", "type": "cve", "cve": "CVE-2021-29538"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48766/f17", "id": "pyup.io-48766", "type": "cve", "cve": "CVE-2021-29542"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48768/f17", "id": "pyup.io-48768", "type": "cve", "cve": "CVE-2021-29544"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48776/f17", "id": "pyup.io-48776", "type": "cve", "cve": "CVE-2021-29552"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48805/f17", "id": "pyup.io-48805", "type": "cve", "cve": "CVE-2021-29581"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48794/f17", "id": "pyup.io-48794", "type": "cve", "cve": "CVE-2021-29570"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48786/f17", "id": "pyup.io-48786", "type": "cve", "cve": "CVE-2021-29562"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48787/f17", "id": "pyup.io-48787", "type": "cve", "cve": "CVE-2021-29563"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48789/f17", "id": "pyup.io-48789", "type": "cve", "cve": "CVE-2021-29565"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48804/f17", "id": "pyup.io-48804", "type": "cve", "cve": "CVE-2021-29580"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48806/f17", "id": "pyup.io-48806", "type": "cve", "cve": "CVE-2021-29582"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48807/f17", "id": "pyup.io-48807", "type": "cve", "cve": "CVE-2021-29583"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48808/f17", "id": "pyup.io-48808", "type": "cve", "cve": "CVE-2021-29584"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48797/f17", "id": "pyup.io-48797", "type": "cve", "cve": "CVE-2021-29573"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48801/f17", "id": "pyup.io-48801", "type": "cve", "cve": "CVE-2021-29577"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48816/f17", "id": "pyup.io-48816", "type": "cve", "cve": "CVE-2021-29592"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48853/f17", "id": "pyup.io-48853", "type": "cve", "cve": "CVE-2021-37645"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48835/f17", "id": "pyup.io-48835", "type": "cve", "cve": "CVE-2021-29611"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48841/f17", "id": "pyup.io-48841", "type": "cve", "cve": "CVE-2021-29617"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48842/f17", "id": "pyup.io-48842", "type": "cve", "cve": "CVE-2021-29618"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48848/f17", "id": "pyup.io-48848", "type": "cve", "cve": "CVE-2021-37639"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48849/f17", "id": "pyup.io-48849", "type": "cve", "cve": "CVE-2021-37641"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48854/f17", "id": "pyup.io-48854", "type": "cve", "cve": "CVE-2021-37646"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48855/f17", "id": "pyup.io-48855", "type": "cve", "cve": "CVE-2021-37647"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48857/f17", "id": "pyup.io-48857", "type": "cve", "cve": "CVE-2021-37649"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48862/f17", "id": "pyup.io-48862", "type": "cve", "cve": "CVE-2021-37654"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48864/f17", "id": "pyup.io-48864", "type": "cve", "cve": "CVE-2021-37656"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48876/f17", "id": "pyup.io-48876", "type": "cve", "cve": "CVE-2021-37668"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48872/f17", "id": "pyup.io-48872", "type": "cve", "cve": "CVE-2021-37664"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48874/f17", "id": "pyup.io-48874", "type": "cve", "cve": "CVE-2021-37666"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48879/f17", "id": "pyup.io-48879", "type": "cve", "cve": "CVE-2021-37671"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48885/f17", "id": "pyup.io-48885", "type": "cve", "cve": "CVE-2021-37677"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48897/f17", "id": "pyup.io-48897", "type": "cve", "cve": "CVE-2021-37689"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48911/f17", "id": "pyup.io-48911", "type": "cve", "cve": "CVE-2021-41200"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48697/f17", "id": "pyup.io-48697", "type": "cve", "cve": "CVE-2020-15205"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48700/f17", "id": "pyup.io-48700", "type": "cve", "cve": "CVE-2020-15208"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48707/f17", "id": "pyup.io-48707", "type": "cve", "cve": "CVE-2020-26268"}, {"specs": ["<0.9"], "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48719/f17", "id": "pyup.io-48719", "type": "cve", "cve": "CVE-2020-26267"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48929/f17", "id": "pyup.io-48929", "type": "cve", "cve": "CVE-2021-41218"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48932/f17", "id": "pyup.io-48932", "type": "cve", "cve": "CVE-2021-41222"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48947/f17", "id": "pyup.io-48947", "type": "cve", "cve": "CVE-2022-21733"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48949/f17", "id": "pyup.io-48949", "type": "cve", "cve": "CVE-2022-21735"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48732/f17", "id": "pyup.io-48732", "type": "cve", "cve": "CVE-2021-22876"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48738/f17", "id": "pyup.io-48738", "type": "cve", "cve": "CVE-2021-29514"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48968/f17", "id": "pyup.io-48968", "type": "cve", "cve": "CVE-2022-23569"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48760/f17", "id": "pyup.io-48760", "type": "cve", "cve": "CVE-2021-29536"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48764/f17", "id": "pyup.io-48764", "type": "cve", "cve": "CVE-2021-29540"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48743/f17", "id": "pyup.io-48743", "type": "cve", "cve": "CVE-2021-29519"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48784/f17", "id": "pyup.io-48784", "type": "cve", "cve": "CVE-2021-29560"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48798/f17", "id": "pyup.io-48798", "type": "cve", "cve": "CVE-2021-29574"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48795/f17", "id": "pyup.io-48795", "type": "cve", "cve": "CVE-2021-29571"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48800/f17", "id": "pyup.io-48800", "type": "cve", "cve": "CVE-2021-29576"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48870/f17", "id": "pyup.io-48870", "type": "cve", "cve": "CVE-2021-37662"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48908/f17", "id": "pyup.io-48908", "type": "cve", "cve": "CVE-2021-41197"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48951/f17", "id": "pyup.io-48951", "type": "cve", "cve": "CVE-2022-21737"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48953/f17", "id": "pyup.io-48953", "type": "cve", "cve": "CVE-2022-21739"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48741/f17", "id": "pyup.io-48741", "type": "cve", "cve": "CVE-2021-29517"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48750/f17", "id": "pyup.io-48750", "type": "cve", "cve": "CVE-2021-29526"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48966/f17", "id": "pyup.io-48966", "type": "cve", "cve": "CVE-2022-23567"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48967/f17", "id": "pyup.io-48967", "type": "cve", "cve": "CVE-2022-23568"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48973/f17", "id": "pyup.io-48973", "type": "cve", "cve": "CVE-2022-23574"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48979/f17", "id": "pyup.io-48979", "type": "cve", "cve": "CVE-2022-23580"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48773/f17", "id": "pyup.io-48773", "type": "cve", "cve": "CVE-2021-29549"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48746/f17", "id": "pyup.io-48746", "type": "cve", "cve": "CVE-2021-29522"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48907/f17", "id": "pyup.io-48907", "type": "cve", "cve": "CVE-2021-41196"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48925/f17", "id": "pyup.io-48925", "type": "cve", "cve": "CVE-2021-41214"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48937/f17", "id": "pyup.io-48937", "type": "cve", "cve": "CVE-2021-41227"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48950/f17", "id": "pyup.io-48950", "type": "cve", "cve": "CVE-2022-21736"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48948/f17", "id": "pyup.io-48948", "type": "cve", "cve": "CVE-2022-21734"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48859/f17", "id": "pyup.io-48859", "type": "cve", "cve": "CVE-2021-37651"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48727/f17", "id": "pyup.io-48727", "type": "cve", "cve": "CVE-2020-8177"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48958/f17", "id": "pyup.io-48958", "type": "cve", "cve": "CVE-2022-23559"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48963/f17", "id": "pyup.io-48963", "type": "cve", "cve": "CVE-2022-23564"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48771/f17", "id": "pyup.io-48771", "type": "cve", "cve": "CVE-2021-29547"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48868/f17", "id": "pyup.io-48868", "type": "cve", "cve": "CVE-2021-37660"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48867/f17", "id": "pyup.io-48867", "type": "cve", "cve": "CVE-2021-37659"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48880/f17", "id": "pyup.io-48880", "type": "cve", "cve": "CVE-2021-37672"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48895/f17", "id": "pyup.io-48895", "type": "cve", "cve": "CVE-2021-37687"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48783/f17", "id": "pyup.io-48783", "type": "cve", "cve": "CVE-2021-29559"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48976/f17", "id": "pyup.io-48976", "type": "cve", "cve": "CVE-2022-23577"}, {"specs": ["<0.9"], "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48714/f17", "id": "pyup.io-48714", "type": "cve", "cve": "CVE-2020-14155"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48860/f17", "id": "pyup.io-48860", "type": "cve", "cve": "CVE-2021-37652"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48834/f17", "id": "pyup.io-48834", "type": "cve", "cve": "CVE-2021-29610"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48749/f17", "id": "pyup.io-48749", "type": "cve", "cve": "CVE-2021-29525"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48790/f17", "id": "pyup.io-48790", "type": "cve", "cve": "CVE-2021-29566"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48869/f17", "id": "pyup.io-48869", "type": "cve", "cve": "CVE-2021-37661"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48740/f17", "id": "pyup.io-48740", "type": "cve", "cve": "CVE-2021-29516"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48943/f17", "id": "pyup.io-48943", "type": "cve", "cve": "CVE-2022-21729"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48942/f17", "id": "pyup.io-48942", "type": "cve", "cve": "CVE-2022-21728"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48955/f17", "id": "pyup.io-48955", "type": "cve", "cve": "CVE-2022-21741"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48822/f17", "id": "pyup.io-48822", "type": "cve", "cve": "CVE-2021-29598"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48952/f17", "id": "pyup.io-48952", "type": "cve", "cve": "CVE-2022-21738"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48781/f17", "id": "pyup.io-48781", "type": "cve", "cve": "CVE-2021-29557"}, {"specs": ["<0.9"], "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48721/f17", "id": "pyup.io-48721", "type": "cve", "cve": "CVE-2020-26270"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48989/f17", "id": "pyup.io-48989", "type": "cve", "cve": "CVE-2022-23591"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48757/f17", "id": "pyup.io-48757", "type": "cve", "cve": "CVE-2021-29533"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48754/f17", "id": "pyup.io-48754", "type": "cve", "cve": "CVE-2021-29530"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48906/f17", "id": "pyup.io-48906", "type": "cve", "cve": "CVE-2021-41195"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48769/f17", "id": "pyup.io-48769", "type": "cve", "cve": "CVE-2021-29545"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48882/f17", "id": "pyup.io-48882", "type": "cve", "cve": "CVE-2021-37674"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48940/f17", "id": "pyup.io-48940", "type": "cve", "cve": "CVE-2022-21726"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48987/f17", "id": "pyup.io-48987", "type": "cve", "cve": "CVE-2022-23588"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48915/f17", "id": "pyup.io-48915", "type": "cve", "cve": "CVE-2021-41204"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48934/f17", "id": "pyup.io-48934", "type": "cve", "cve": "CVE-2021-41224"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48696/f17", "id": "pyup.io-48696", "type": "cve", "cve": "CVE-2020-15204"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48778/f17", "id": "pyup.io-48778", "type": "cve", "cve": "CVE-2021-29554"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48926/f17", "id": "pyup.io-48926", "type": "cve", "cve": "CVE-2021-41215"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48742/f17", "id": "pyup.io-48742", "type": "cve", "cve": "CVE-2021-29518"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48763/f17", "id": "pyup.io-48763", "type": "cve", "cve": "CVE-2021-29539"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48767/f17", "id": "pyup.io-48767", "type": "cve", "cve": "CVE-2021-29543"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48774/f17", "id": "pyup.io-48774", "type": "cve", "cve": "CVE-2021-29550"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48779/f17", "id": "pyup.io-48779", "type": "cve", "cve": "CVE-2021-29555"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48815/f17", "id": "pyup.io-48815", "type": "cve", "cve": "CVE-2021-29591"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48896/f17", "id": "pyup.io-48896", "type": "cve", "cve": "CVE-2021-37688"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48829/f17", "id": "pyup.io-48829", "type": "cve", "cve": "CVE-2021-29605"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48831/f17", "id": "pyup.io-48831", "type": "cve", "cve": "CVE-2021-29607"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48850/f17", "id": "pyup.io-48850", "type": "cve", "cve": "CVE-2021-37642"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48858/f17", "id": "pyup.io-48858", "type": "cve", "cve": "CVE-2021-37650"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48873/f17", "id": "pyup.io-48873", "type": "cve", "cve": "CVE-2021-37665"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48878/f17", "id": "pyup.io-48878", "type": "cve", "cve": "CVE-2021-37670"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48883/f17", "id": "pyup.io-48883", "type": "cve", "cve": "CVE-2021-37675"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48886/f17", "id": "pyup.io-48886", "type": "cve", "cve": "CVE-2021-37678"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48889/f17", "id": "pyup.io-48889", "type": "cve", "cve": "CVE-2021-37681"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48890/f17", "id": "pyup.io-48890", "type": "cve", "cve": "CVE-2021-37682"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48893/f17", "id": "pyup.io-48893", "type": "cve", "cve": "CVE-2021-37685"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48898/f17", "id": "pyup.io-48898", "type": "cve", "cve": "CVE-2021-37690"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48916/f17", "id": "pyup.io-48916", "type": "cve", "cve": "CVE-2021-41205"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48928/f17", "id": "pyup.io-48928", "type": "cve", "cve": "CVE-2021-41217"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48931/f17", "id": "pyup.io-48931", "type": "cve", "cve": "CVE-2021-41221"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48935/f17", "id": "pyup.io-48935", "type": "cve", "cve": "CVE-2021-41225"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48939/f17", "id": "pyup.io-48939", "type": "cve", "cve": "CVE-2022-21725"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48941/f17", "id": "pyup.io-48941", "type": "cve", "cve": "CVE-2022-21727"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48946/f17", "id": "pyup.io-48946", "type": "cve", "cve": "CVE-2022-21732"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48964/f17", "id": "pyup.io-48964", "type": "cve", "cve": "CVE-2022-23565"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48956/f17", "id": "pyup.io-48956", "type": "cve", "cve": "CVE-2022-23557"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48957/f17", "id": "pyup.io-48957", "type": "cve", "cve": "CVE-2022-23558"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48960/f17", "id": "pyup.io-48960", "type": "cve", "cve": "CVE-2022-23561"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48755/f17", "id": "pyup.io-48755", "type": "cve", "cve": "CVE-2021-29531"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48759/f17", "id": "pyup.io-48759", "type": "cve", "cve": "CVE-2021-29535"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48984/f17", "id": "pyup.io-48984", "type": "cve", "cve": "CVE-2022-23585"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48845/f17", "id": "pyup.io-48845", "type": "cve", "cve": "CVE-2021-37636"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48838/f17", "id": "pyup.io-48838", "type": "cve", "cve": "CVE-2021-29614"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48899/f17", "id": "pyup.io-48899", "type": "cve", "cve": "CVE-2021-37691"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48913/f17", "id": "pyup.io-48913", "type": "cve", "cve": "CVE-2021-41202"}, {"specs": ["<0.9"], "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48716/f17", "id": "pyup.io-48716", "type": "cve", "cve": "CVE-2020-15265"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48918/f17", "id": "pyup.io-48918", "type": "cve", "cve": "CVE-2021-41207"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48921/f17", "id": "pyup.io-48921", "type": "cve", "cve": "CVE-2021-41210"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48954/f17", "id": "pyup.io-48954", "type": "cve", "cve": "CVE-2022-21740"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48961/f17", "id": "pyup.io-48961", "type": "cve", "cve": "CVE-2022-23562"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48875/f17", "id": "pyup.io-48875", "type": "cve", "cve": "CVE-2021-37667"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48909/f17", "id": "pyup.io-48909", "type": "cve", "cve": "CVE-2021-41198"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48969/f17", "id": "pyup.io-48969", "type": "cve", "cve": "CVE-2022-23570"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48972/f17", "id": "pyup.io-48972", "type": "cve", "cve": "CVE-2022-23573"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48978/f17", "id": "pyup.io-48978", "type": "cve", "cve": "CVE-2022-23579"}, {"specs": ["<=0.12.0rc2"], "advisory": "Deepcell 0.12.0rc2 and prior include a version of TensorFlow (2.8.0) with known vulnerabilities.", "transitive": true, "more_info_path": "/v/48591/f17", "id": "pyup.io-48591", "type": "cve", "cve": "CVE-2022-35939"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48677/f17", "id": "pyup.io-48677", "type": "cve", "cve": "CVE-2019-19646"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48678/f17", "id": "pyup.io-48678", "type": "cve", "cve": "CVE-2019-19880"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48679/f17", "id": "pyup.io-48679", "type": "cve", "cve": "CVE-2019-20838"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48687/f17", "id": "pyup.io-48687", "type": "cve", "cve": "CVE-2020-13631"}, {"specs": ["<0.8"], "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48711/f17", "id": "pyup.io-48711", "type": "cve", "cve": "CVE-2020-9327"}, {"specs": ["<0.9"], "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48713/f17", "id": "pyup.io-48713", "type": "cve", "cve": "CVE-2020-13790"}, {"specs": ["<0.9"], "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48715/f17", "id": "pyup.io-48715", "type": "cve", "cve": "CVE-2020-15250"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48723/f17", "id": "pyup.io-48723", "type": "cve", "cve": "CVE-2020-8169"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48728/f17", "id": "pyup.io-48728", "type": "cve", "cve": "CVE-2020-8231"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48731/f17", "id": "pyup.io-48731", "type": "cve", "cve": "CVE-2020-8286"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48734/f17", "id": "pyup.io-48734", "type": "cve", "cve": "CVE-2021-22898"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48735/f17", "id": "pyup.io-48735", "type": "cve", "cve": "CVE-2021-22901"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48900/f17", "id": "pyup.io-48900", "type": "cve", "cve": "CVE-2020-10531"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48902/f17", "id": "pyup.io-48902", "type": "cve", "cve": "CVE-2021-22923"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48905/f17", "id": "pyup.io-48905", "type": "cve", "cve": "CVE-2021-22926"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48983/f17", "id": "pyup.io-48983", "type": "cve", "cve": "CVE-2022-23584"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48839/f17", "id": "pyup.io-48839", "type": "cve", "cve": "CVE-2021-29615"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48844/f17", "id": "pyup.io-48844", "type": "cve", "cve": "CVE-2021-37635"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48851/f17", "id": "pyup.io-48851", "type": "cve", "cve": "CVE-2021-37643"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48944/f17", "id": "pyup.io-48944", "type": "cve", "cve": "CVE-2022-21730"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48871/f17", "id": "pyup.io-48871", "type": "cve", "cve": "CVE-2021-37663"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48971/f17", "id": "pyup.io-48971", "type": "cve", "cve": "CVE-2022-23572"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48975/f17", "id": "pyup.io-48975", "type": "cve", "cve": "CVE-2022-23576"}, {"specs": ["<0.12.0rc0"], "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "transitive": true, "more_info_path": "/v/48970/f17", "id": "pyup.io-48970", "type": "cve", "cve": "CVE-2022-23571"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48811/f17", "id": "pyup.io-48811", "type": "cve", "cve": "CVE-2021-29587"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48825/f17", "id": "pyup.io-48825", "type": "cve", "cve": "CVE-2021-29601"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48826/f17", "id": "pyup.io-48826", "type": "cve", "cve": "CVE-2021-29602"}, {"specs": ["<0.10.0rc1"], "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "transitive": true, "more_info_path": "/v/48830/f17", "id": "pyup.io-48830", "type": "cve", "cve": "CVE-2021-29606"}], "beginner": [{"specs": [">=0.0.2,<0.0.5"], "advisory": "The Beginner package in PyPI v0.0.2 to v0.0.4 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.", "transitive": false, "more_info_path": "/v/54413/f17", "id": "pyup.io-54413", "type": "cve", "cve": "CVE-2022-33004"}], "wdmtoolbox": [{"specs": ["<12.9.3"], "advisory": "Wdmtoolbox 12.9.3 pins the dependency 'pygments>=2.7.4' to include security fixes.", "transitive": true, "more_info_path": "/v/49502/f17", "id": "pyup.io-49502", "type": "cve", "cve": "CVE-2021-20270"}, {"specs": ["<12.9.3"], "advisory": "Wdmtoolbox 12.9.3 pins the dependency 'numpy>=1.22.2' to include security fixes.", "transitive": true, "more_info_path": "/v/49447/f17", "id": "pyup.io-49447", "type": "cve", "cve": "CVE-2021-41495"}, {"specs": ["<12.9.3"], "advisory": "Wdmtoolbox 12.9.3 pins the dependency 'sphinx>=3.0.4' to include security fixes.", "transitive": true, "more_info_path": "/v/49504/f17", "id": "pyup.io-49504", "type": "cve", "cve": "CVE-2020-11022"}, {"specs": ["<12.9.3"], "advisory": "Wdmtoolbox 12.9.3 pins the dependency 'pygments>=2.7.4' to include security fixes.", "transitive": true, "more_info_path": "/v/49503/f17", "id": "pyup.io-49503", "type": "cve", "cve": "CVE-2021-27291"}, {"specs": ["<12.9.3"], "advisory": "Wdmtoolbox 12.9.3 pins the dependency 'numpy>=1.22.2' to include security fixes.", "transitive": true, "more_info_path": "/v/49505/f17", "id": "pyup.io-49505", "type": "cve", "cve": "CVE-2020-11023"}, {"specs": ["<12.9.3"], "advisory": "Wdmtoolbox 12.9.3 pins the dependency 'numpy>=1.22.2' to include security fixes.", "transitive": true, "more_info_path": "/v/49501/f17", "id": "pyup.io-49501", "type": "cve", "cve": "CVE-2021-41496"}], "django-hijack": [{"specs": ["<1.0.7"], "advisory": "Django-hijack before 1.0.7 fixes a HTML injection vulnerability in admin.\r\nhttps://github.com/django-hijack/django-hijack/commit/4ad17c88629fed8bfad93e3c0a59ee3792c61ca4", "transitive": false, "more_info_path": "/v/25765/f17", "id": "pyup.io-25765", "type": "pve", "cve": "PVE-2021-25765"}], "tensorpy": [{"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46605/f17", "id": "pyup.io-46605", "type": "cve", "cve": "CVE-2021-41228"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46572/f17", "id": "pyup.io-46572", "type": "cve", "cve": "CVE-2021-22925"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44420/f17", "id": "pyup.io-44420", "type": "cve", "cve": "CVE-2020-15210"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46565/f17", "id": "pyup.io-46565", "type": "cve", "cve": "CVE-2020-26267"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46595/f17", "id": "pyup.io-46595", "type": "cve", "cve": "CVE-2021-41217"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46626/f17", "id": "pyup.io-46626", "type": "cve", "cve": "CVE-2022-23561"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46640/f17", "id": "pyup.io-46640", "type": "cve", "cve": "CVE-2022-23575"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46573/f17", "id": "pyup.io-46573", "type": "cve", "cve": "CVE-2021-22926"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46571/f17", "id": "pyup.io-46571", "type": "cve", "cve": "CVE-2021-22924"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44418/f17", "id": "pyup.io-44418", "type": "cve", "cve": "CVE-2020-15190"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44386/f17", "id": "pyup.io-44386", "type": "cve", "cve": "CVE-2020-5215"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44388/f17", "id": "pyup.io-44388", "type": "cve", "cve": "CVE-2019-16778"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44389/f17", "id": "pyup.io-44389", "type": "pve", "cve": "PVE-2021-37524"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44392/f17", "id": "pyup.io-44392", "type": "cve", "cve": "CVE-2018-17190"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44397/f17", "id": "pyup.io-44397", "type": "cve", "cve": "CVE-2019-10099"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44403/f17", "id": "pyup.io-44403", "type": "cve", "cve": "CVE-2020-15204"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44406/f17", "id": "pyup.io-44406", "type": "cve", "cve": "CVE-2020-15206"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44411/f17", "id": "pyup.io-44411", "type": "cve", "cve": "CVE-2020-13435"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44414/f17", "id": "pyup.io-44414", "type": "cve", "cve": "CVE-2020-15209"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44417/f17", "id": "pyup.io-44417", "type": "cve", "cve": "CVE-2020-15207"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44394/f17", "id": "pyup.io-44394", "type": "cve", "cve": "CVE-2019-19244"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46558/f17", "id": "pyup.io-46558", "type": "cve", "cve": "CVE-2020-10531"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46562/f17", "id": "pyup.io-46562", "type": "cve", "cve": "CVE-2020-15265"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46563/f17", "id": "pyup.io-46563", "type": "cve", "cve": "CVE-2020-15266"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44416/f17", "id": "pyup.io-44416", "type": "cve", "cve": "CVE-2020-15195"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46567/f17", "id": "pyup.io-46567", "type": "cve", "cve": "CVE-2020-26270"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44419/f17", "id": "pyup.io-44419", "type": "cve", "cve": "CVE-2020-15203"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46568/f17", "id": "pyup.io-46568", "type": "cve", "cve": "CVE-2020-26271"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44400/f17", "id": "pyup.io-44400", "type": "cve", "cve": "CVE-2020-15211"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44402/f17", "id": "pyup.io-44402", "type": "cve", "cve": "CVE-2020-15194"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46574/f17", "id": "pyup.io-46574", "type": "cve", "cve": "CVE-2021-41195"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44404/f17", "id": "pyup.io-44404", "type": "cve", "cve": "CVE-2020-15205"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46575/f17", "id": "pyup.io-46575", "type": "cve", "cve": "CVE-2021-41196"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44405/f17", "id": "pyup.io-44405", "type": "cve", "cve": "CVE-2020-15202"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44407/f17", "id": "pyup.io-44407", "type": "cve", "cve": "CVE-2020-15208"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46577/f17", "id": "pyup.io-46577", "type": "cve", "cve": "CVE-2021-41198"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46582/f17", "id": "pyup.io-46582", "type": "cve", "cve": "CVE-2021-41203"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46584/f17", "id": "pyup.io-46584", "type": "cve", "cve": "CVE-2021-41205"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46585/f17", "id": "pyup.io-46585", "type": "cve", "cve": "CVE-2021-41206"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46586/f17", "id": "pyup.io-46586", "type": "cve", "cve": "CVE-2021-41207"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46589/f17", "id": "pyup.io-46589", "type": "cve", "cve": "CVE-2021-41210"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46591/f17", "id": "pyup.io-46591", "type": "cve", "cve": "CVE-2021-41213"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46590/f17", "id": "pyup.io-46590", "type": "cve", "cve": "CVE-2021-41212"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46592/f17", "id": "pyup.io-46592", "type": "cve", "cve": "CVE-2021-41214"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46570/f17", "id": "pyup.io-46570", "type": "cve", "cve": "CVE-2021-22923"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46601/f17", "id": "pyup.io-46601", "type": "cve", "cve": "CVE-2021-41224"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46603/f17", "id": "pyup.io-46603", "type": "cve", "cve": "CVE-2021-41226"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46604/f17", "id": "pyup.io-46604", "type": "cve", "cve": "CVE-2021-41227"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46607/f17", "id": "pyup.io-46607", "type": "cve", "cve": "CVE-2022-21726"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46608/f17", "id": "pyup.io-46608", "type": "cve", "cve": "CVE-2022-21727"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46609/f17", "id": "pyup.io-46609", "type": "cve", "cve": "CVE-2022-21728"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46610/f17", "id": "pyup.io-46610", "type": "cve", "cve": "CVE-2022-21729"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46611/f17", "id": "pyup.io-46611", "type": "cve", "cve": "CVE-2022-21730"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46614/f17", "id": "pyup.io-46614", "type": "cve", "cve": "CVE-2022-21733"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46615/f17", "id": "pyup.io-46615", "type": "cve", "cve": "CVE-2022-21734"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46619/f17", "id": "pyup.io-46619", "type": "cve", "cve": "CVE-2022-21738"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46616/f17", "id": "pyup.io-46616", "type": "cve", "cve": "CVE-2022-21735"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46618/f17", "id": "pyup.io-46618", "type": "cve", "cve": "CVE-2022-21737"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46620/f17", "id": "pyup.io-46620", "type": "cve", "cve": "CVE-2022-21739"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46622/f17", "id": "pyup.io-46622", "type": "cve", "cve": "CVE-2022-23557"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46623/f17", "id": "pyup.io-46623", "type": "cve", "cve": "CVE-2022-23558"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46557/f17", "id": "pyup.io-46557", "type": "cve", "cve": "CVE-2019-20838"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46566/f17", "id": "pyup.io-46566", "type": "cve", "cve": "CVE-2020-26268"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46624/f17", "id": "pyup.io-46624", "type": "cve", "cve": "CVE-2022-23559"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46564/f17", "id": "pyup.io-46564", "type": "cve", "cve": "CVE-2020-26266"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46576/f17", "id": "pyup.io-46576", "type": "cve", "cve": "CVE-2021-41197"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46578/f17", "id": "pyup.io-46578", "type": "cve", "cve": "CVE-2021-41199"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46579/f17", "id": "pyup.io-46579", "type": "cve", "cve": "CVE-2021-41200"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46580/f17", "id": "pyup.io-46580", "type": "cve", "cve": "CVE-2021-41201"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46612/f17", "id": "pyup.io-46612", "type": "cve", "cve": "CVE-2022-21731"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46613/f17", "id": "pyup.io-46613", "type": "cve", "cve": "CVE-2022-21732"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46617/f17", "id": "pyup.io-46617", "type": "cve", "cve": "CVE-2022-21736"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46621/f17", "id": "pyup.io-46621", "type": "cve", "cve": "CVE-2022-21740"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46629/f17", "id": "pyup.io-46629", "type": "cve", "cve": "CVE-2022-23564"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46581/f17", "id": "pyup.io-46581", "type": "cve", "cve": "CVE-2021-41202"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46593/f17", "id": "pyup.io-46593", "type": "cve", "cve": "CVE-2021-41215"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46583/f17", "id": "pyup.io-46583", "type": "cve", "cve": "CVE-2021-41204"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46587/f17", "id": "pyup.io-46587", "type": "cve", "cve": "CVE-2021-41208"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46588/f17", "id": "pyup.io-46588", "type": "cve", "cve": "CVE-2021-41209"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46594/f17", "id": "pyup.io-46594", "type": "cve", "cve": "CVE-2021-41216"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46596/f17", "id": "pyup.io-46596", "type": "cve", "cve": "CVE-2021-41218"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46597/f17", "id": "pyup.io-46597", "type": "cve", "cve": "CVE-2021-41219"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46598/f17", "id": "pyup.io-46598", "type": "cve", "cve": "CVE-2021-41221"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46599/f17", "id": "pyup.io-46599", "type": "cve", "cve": "CVE-2021-41222"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46600/f17", "id": "pyup.io-46600", "type": "cve", "cve": "CVE-2021-41223"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46602/f17", "id": "pyup.io-46602", "type": "cve", "cve": "CVE-2021-41225"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46606/f17", "id": "pyup.io-46606", "type": "cve", "cve": "CVE-2022-21725"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46632/f17", "id": "pyup.io-46632", "type": "cve", "cve": "CVE-2022-23567"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46633/f17", "id": "pyup.io-46633", "type": "cve", "cve": "CVE-2022-23568"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46634/f17", "id": "pyup.io-46634", "type": "cve", "cve": "CVE-2022-23569"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46635/f17", "id": "pyup.io-46635", "type": "cve", "cve": "CVE-2022-23570"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46639/f17", "id": "pyup.io-46639", "type": "cve", "cve": "CVE-2022-23574"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46649/f17", "id": "pyup.io-46649", "type": "cve", "cve": "CVE-2022-23584"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46650/f17", "id": "pyup.io-46650", "type": "cve", "cve": "CVE-2022-23585"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46651/f17", "id": "pyup.io-46651", "type": "cve", "cve": "CVE-2022-23586"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46652/f17", "id": "pyup.io-46652", "type": "cve", "cve": "CVE-2022-23587"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46653/f17", "id": "pyup.io-46653", "type": "cve", "cve": "CVE-2022-23588"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46655/f17", "id": "pyup.io-46655", "type": "cve", "cve": "CVE-2022-23591"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46654/f17", "id": "pyup.io-46654", "type": "cve", "cve": "CVE-2022-23589"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46625/f17", "id": "pyup.io-46625", "type": "cve", "cve": "CVE-2022-23560"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46627/f17", "id": "pyup.io-46627", "type": "cve", "cve": "CVE-2022-23562"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46628/f17", "id": "pyup.io-46628", "type": "cve", "cve": "CVE-2022-23563"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46636/f17", "id": "pyup.io-46636", "type": "cve", "cve": "CVE-2022-23571"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46637/f17", "id": "pyup.io-46637", "type": "cve", "cve": "CVE-2022-23572"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46642/f17", "id": "pyup.io-46642", "type": "cve", "cve": "CVE-2022-23577"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46646/f17", "id": "pyup.io-46646", "type": "cve", "cve": "CVE-2022-23581"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46647/f17", "id": "pyup.io-46647", "type": "cve", "cve": "CVE-2022-23582"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46648/f17", "id": "pyup.io-46648", "type": "cve", "cve": "CVE-2022-23583"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46656/f17", "id": "pyup.io-46656", "type": "cve", "cve": "CVE-2022-23595"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/38821/f17", "id": "pyup.io-38821", "type": "cve", "cve": "CVE-2019-19646"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44384/f17", "id": "pyup.io-44384", "type": "cve", "cve": "CVE-2019-5481"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44385/f17", "id": "pyup.io-44385", "type": "cve", "cve": "CVE-2019-16168"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44387/f17", "id": "pyup.io-44387", "type": "cve", "cve": "CVE-2019-5482"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44391/f17", "id": "pyup.io-44391", "type": "cve", "cve": "CVE-2018-19664"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44393/f17", "id": "pyup.io-44393", "type": "cve", "cve": "CVE-2019-19645"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44395/f17", "id": "pyup.io-44395", "type": "cve", "cve": "CVE-2019-19880"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44396/f17", "id": "pyup.io-44396", "type": "cve", "cve": "CVE-2018-20330"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44399/f17", "id": "pyup.io-44399", "type": "cve", "cve": "CVE-2019-13960"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44401/f17", "id": "pyup.io-44401", "type": "cve", "cve": "CVE-2020-13630"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44408/f17", "id": "pyup.io-44408", "type": "cve", "cve": "CVE-2020-11656"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44409/f17", "id": "pyup.io-44409", "type": "cve", "cve": "CVE-2020-11655"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44410/f17", "id": "pyup.io-44410", "type": "cve", "cve": "CVE-2020-13434"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44412/f17", "id": "pyup.io-44412", "type": "cve", "cve": "CVE-2020-13871"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44413/f17", "id": "pyup.io-44413", "type": "cve", "cve": "CVE-2020-13631"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44415/f17", "id": "pyup.io-44415", "type": "cve", "cve": "CVE-2020-9327"}, {"specs": ["<1.5.0"], "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "transitive": true, "more_info_path": "/v/44398/f17", "id": "pyup.io-44398", "type": "cve", "cve": "CVE-2018-11770"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46559/f17", "id": "pyup.io-46559", "type": "cve", "cve": "CVE-2020-13790"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46560/f17", "id": "pyup.io-46560", "type": "cve", "cve": "CVE-2020-14155"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46561/f17", "id": "pyup.io-46561", "type": "cve", "cve": "CVE-2020-15250"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46569/f17", "id": "pyup.io-46569", "type": "cve", "cve": "CVE-2021-22922"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46630/f17", "id": "pyup.io-46630", "type": "cve", "cve": "CVE-2022-23565"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46631/f17", "id": "pyup.io-46631", "type": "cve", "cve": "CVE-2022-23566"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46638/f17", "id": "pyup.io-46638", "type": "cve", "cve": "CVE-2022-23573"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46641/f17", "id": "pyup.io-46641", "type": "cve", "cve": "CVE-2022-23576"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46643/f17", "id": "pyup.io-46643", "type": "cve", "cve": "CVE-2022-23578"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46644/f17", "id": "pyup.io-46644", "type": "cve", "cve": "CVE-2022-23579"}, {"specs": ["<=1.6.1"], "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "transitive": true, "more_info_path": "/v/46645/f17", "id": "pyup.io-46645", "type": "cve", "cve": "CVE-2022-23580"}], "mayan-edms": [{"specs": ["<3.0.2"], "advisory": "Mayan-edms versions before 3.0.2 are affected by CVE-2018-16406:\r\nThe Cabinets app has XSS via a crafted cabinet label.\r\nhttps://gitlab.com/mayan-edms/mayan-edms/blob/master/HISTORY.rst\r\nhttps://gitlab.com/mayan-edms/mayan-edms/commit/48dfc06e49c7f773749e063f8cc69c95509d1c32\r\nhttps://gitlab.com/mayan-edms/mayan-edms/issues/495", "transitive": false, "more_info_path": "/v/41710/f17", "id": "pyup.io-41710", "type": "cve", "cve": "CVE-2018-16406"}, {"specs": ["<3.0.2"], "advisory": "Mayan-edms versions before 3.0.2 are affected by CVE-2018-16405:\r\nThe Appearance app sets window.location directly, leading to XSS.\r\nhttps://gitlab.com/mayan-edms/mayan-edms/blob/master/HISTORY.rst\r\nhttps://gitlab.com/mayan-edms/mayan-edms/commit/9ebe80595afe4fdd1e2c74358d6a9421f4ce130e\r\nhttps://gitlab.com/mayan-edms/mayan-edms/issues/494", "transitive": false, "more_info_path": "/v/41709/f17", "id": "pyup.io-41709", "type": "cve", "cve": "CVE-2018-16405"}, {"specs": ["<3.0.3"], "advisory": "Mayan-edms versions before 3.0.3 are affected by CVE-2018-16407:\r\nThe Tags app has XSS because tag label values are mishandled.\r\nhttps://gitlab.com/mayan-edms/mayan-edms/blob/master/HISTORY.rst\r\nhttps://gitlab.com/mayan-edms/mayan-edms/commit/076468a9225e4630a463c0bbceb8e5b805fe380c\r\nhttps://gitlab.com/mayan-edms/mayan-edms/issues/496", "transitive": false, "more_info_path": "/v/41711/f17", "id": "pyup.io-41711", "type": "cve", "cve": "CVE-2018-16407"}], "pyplanet": [{"specs": ["<0.7.0"], "advisory": "Pyplanet 0.7.0 updates its dependency 'pyyaml' to v5.1.2 to include a security fix.", "transitive": true, "more_info_path": "/v/49095/f17", "id": "pyup.io-49095", "type": "cve", "cve": "CVE-2017-18342"}, {"specs": ["<0.6.2"], "advisory": "pyplanet 0.6.2 - security: Upgraded library to solve security issues (requests library).", "transitive": false, "more_info_path": "/v/36666/f17", "id": "pyup.io-36666", "type": "pve", "cve": "PVE-2021-36666"}, {"specs": ["<0.7.0"], "advisory": "Pyplanet 0.7.0 updates its dependency 'urllib3' to v1.25.3 to include security fixes.", "transitive": true, "more_info_path": "/v/49093/f17", "id": "pyup.io-49093", "type": "cve", "cve": "CVE-2019-11236"}, {"specs": ["<0.7.0"], "advisory": "Pyplanet 0.7.0 updates its dependency 'jinja2' to v2.10.1 to include a security fix.", "transitive": true, "more_info_path": "/v/37476/f17", "id": "pyup.io-37476", "type": "cve", "cve": "CVE-2019-10906"}, {"specs": ["<0.7.0"], "advisory": "Pyplanet 0.7.0 updates its dependency 'numpy' to v1.17.2 to include a security fix.", "transitive": true, "more_info_path": "/v/49094/f17", "id": "pyup.io-49094", "type": "cve", "cve": "CVE-2019-6446"}, {"specs": ["<0.7.0"], "advisory": "Pyplanet 0.7.0 updates its dependency 'urllib3' to v1.25.3 to include security fixes.", "transitive": true, "more_info_path": "/v/49092/f17", "id": "pyup.io-49092", "type": "cve", "cve": "CVE-2019-11324"}], "django-python3-ldap": [{"specs": ["<0.9.8"], "advisory": "Django-python3-ldap 0.9.8 fixes a security vulnerability allowing users to authenticate with a valid username but with an empty password if anonymous authentication is allowed on the LDAP server.\r\nhttps://github.com/etianen/django-python3-ldap/commit/17a94be4d6cc147407ac427e3067d432ac01a732", "transitive": false, "more_info_path": "/v/25780/f17", "id": "pyup.io-25780", "type": "pve", "cve": "PVE-2021-25780"}, {"specs": ["<0.9.5"], "advisory": "Django-python3-ldap 0.9.5 fixes a security vulnerability where username and password could be transmitted in plain text before starting TLS.\r\nhttps://github.com/etianen/django-python3-ldap/commit/a250194e2911e270a90b0eec2251343040a75ece", "transitive": false, "more_info_path": "/v/25779/f17", "id": "pyup.io-25779", "type": "pve", "cve": "PVE-2021-25779"}], "django-ninecms": [{"specs": ["<0.4.5b"], "advisory": "Django-ninecms before 0.4.5b has a unknown security issue in its url configuration.", "transitive": false, "more_info_path": "/v/25776/f17", "id": "pyup.io-25776", "type": "pve", "cve": "PVE-2021-25776"}], "django-relatives": [{"specs": ["<0.3.0"], "advisory": "Django-relatives before 0.3.0 is vulnerable to XSS in html tags.\r\nhttps://github.com/treyhunner/django-relatives/commit/6410ae4695389cb377ce23d35883d8b70b789deb", "transitive": false, "more_info_path": "/v/25782/f17", "id": "pyup.io-25782", "type": "pve", "cve": "PVE-2021-25782"}], "apache-dolphinscheduler": [{"specs": ["<3.1.0"], "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'h2' to v2.1.210 to include security fixes.", "transitive": true, "more_info_path": "/v/51310/f17", "id": "pyup.io-51310", "type": "cve", "cve": "CVE-2021-23463"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50530/f17", "id": "pyup.io-50530", "type": "cve", "cve": "CVE-2019-14379"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50541/f17", "id": "pyup.io-50541", "type": "cve", "cve": "CVE-2018-19360"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50528/f17", "id": "pyup.io-50528", "type": "cve", "cve": "CVE-2019-14893"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50543/f17", "id": "pyup.io-50543", "type": "cve", "cve": "CVE-2018-19362"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'postgresql' to v42.3.4 to include security fixes.", "transitive": true, "more_info_path": "/v/50558/f17", "id": "pyup.io-50558", "type": "cve", "cve": "CVE-2022-31197"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 requires Maven dependency 'jackson-databind' v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/49231/f17", "id": "pyup.io-49231", "type": "cve", "cve": "CVE-2020-35728"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50548/f17", "id": "pyup.io-50548", "type": "cve", "cve": "CVE-2018-12023"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50552/f17", "id": "pyup.io-50552", "type": "cve", "cve": "CVE-2020-11113"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 requires Maven dependency 'jackson-databind' v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/49229/f17", "id": "pyup.io-49229", "type": "cve", "cve": "CVE-2020-36188"}, {"specs": ["<3.0.0beta2"], "advisory": "Apache-dolphinscheduler 3.0.0beta2 updates its Maven dependency 'logback-core' to v1.2.11 to include a security fix.", "transitive": true, "more_info_path": "/v/49741/f17", "id": "pyup.io-49741", "type": "pve", "cve": "PVE-2022-49741"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 requires as a Maven dependency 'jackson-databind' v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/49233/f17", "id": "pyup.io-49233", "type": "cve", "cve": "CVE-2020-35491"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50527/f17", "id": "pyup.io-50527", "type": "cve", "cve": "CVE-2019-14892"}, {"specs": ["<3.1.0"], "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'commons-io' to v2.11.0 to include a security fix.", "transitive": true, "more_info_path": "/v/51314/f17", "id": "pyup.io-51314", "type": "cve", "cve": "CVE-2021-29425"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 updates its Maven dependency 'postgresql' to v42.3.4 to include security fixes.", "transitive": true, "more_info_path": "/v/49234/f17", "id": "pyup.io-49234", "type": "cve", "cve": "CVE-2022-26520"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50537/f17", "id": "pyup.io-50537", "type": "cve", "cve": "CVE-2019-12384"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 requires Maven dependency 'jackson-databind' v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/49228/f17", "id": "pyup.io-49228", "type": "cve", "cve": "CVE-2020-36187"}, {"specs": ["<3.1.0"], "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that adds validations of possible malicious keys.\r\nhttps://github.com/apache/dolphinscheduler/commit/5811b84fcc7cc0ff354cf8e871f36aa3ae61aa2a", "transitive": true, "more_info_path": "/v/51304/f17", "id": "pyup.io-51304", "type": "pve", "cve": "PVE-2022-51304"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50536/f17", "id": "pyup.io-50536", "type": "cve", "cve": "CVE-2019-17267"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50549/f17", "id": "pyup.io-50549", "type": "cve", "cve": "CVE-2020-10672"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 updates its Maven dependency 'postgresql' to v42.3.4 to include security fixes.", "transitive": true, "more_info_path": "/v/49235/f17", "id": "pyup.io-49235", "type": "cve", "cve": "CVE-2022-21724"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 requires Maven dependency 'jackson-databind' v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/49224/f17", "id": "pyup.io-49224", "type": "cve", "cve": "CVE-2020-36182"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'postgresql' to v42.3.4 to include security fixes.", "transitive": true, "more_info_path": "/v/50557/f17", "id": "pyup.io-50557", "type": "cve", "cve": "CVE-2022-26520"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 requires Maven dependency 'jackson-databind' v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/49226/f17", "id": "pyup.io-49226", "type": "cve", "cve": "CVE-2020-36180"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50540/f17", "id": "pyup.io-50540", "type": "cve", "cve": "CVE-2019-12814"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 requires Maven dependency 'jackson-databind' v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/49154/f17", "id": "pyup.io-49154", "type": "cve", "cve": "CVE-2020-36186"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50535/f17", "id": "pyup.io-50535", "type": "cve", "cve": "CVE-2019-12086"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'postgresql' to v42.3.4 to include security fixes.", "transitive": true, "more_info_path": "/v/50555/f17", "id": "pyup.io-50555", "type": "cve", "cve": "CVE-2020-13692"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 requires Maven dependency 'jackson-databind' v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/49223/f17", "id": "pyup.io-49223", "type": "cve", "cve": "CVE-2020-36183"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50532/f17", "id": "pyup.io-50532", "type": "cve", "cve": "CVE-2019-16335"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 requires Maven dependency 'jackson-databind' v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/49225/f17", "id": "pyup.io-49225", "type": "cve", "cve": "CVE-2020-36181"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 updates its Maven dependency 'postgresql' to v42.3.4 to include security fixes.", "transitive": true, "more_info_path": "/v/49236/f17", "id": "pyup.io-49236", "type": "cve", "cve": "CVE-2020-13692"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50554/f17", "id": "pyup.io-50554", "type": "cve", "cve": "CVE-2020-10969"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50546/f17", "id": "pyup.io-50546", "type": "cve", "cve": "CVE-2018-14720"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50533/f17", "id": "pyup.io-50533", "type": "cve", "cve": "CVE-2019-16943"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 requires Maven dependency 'jackson-databind' v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/49222/f17", "id": "pyup.io-49222", "type": "cve", "cve": "CVE-2020-36184"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 requires Maven dependency 'jackson-databind' v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/49227/f17", "id": "pyup.io-49227", "type": "cve", "cve": "CVE-2020-36179"}, {"specs": ["<3.1.0"], "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'logback-core' to v 1.2.11 to include security fixes.", "transitive": true, "more_info_path": "/v/51313/f17", "id": "pyup.io-51313", "type": "cve", "cve": "CVE-2021-42550"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50523/f17", "id": "pyup.io-50523", "type": "cve", "cve": "CVE-2020-9546"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 requires Maven dependency 'jackson-databind' v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/49221/f17", "id": "pyup.io-49221", "type": "cve", "cve": "CVE-2020-36185"}, {"specs": ["<3.0.0beta2"], "advisory": "Apache-dolphinscheduler 3.0.0beta2 updates its Maven dependency 'commons-io' to v2.11.0 to include a security fix.", "transitive": true, "more_info_path": "/v/49730/f17", "id": "pyup.io-49730", "type": "cve", "cve": "CVE-2021-29425"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50526/f17", "id": "pyup.io-50526", "type": "cve", "cve": "CVE-2020-9548"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50529/f17", "id": "pyup.io-50529", "type": "cve", "cve": "CVE-2020-8840"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50531/f17", "id": "pyup.io-50531", "type": "cve", "cve": "CVE-2019-14439"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50534/f17", "id": "pyup.io-50534", "type": "cve", "cve": "CVE-2019-14540"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50538/f17", "id": "pyup.io-50538", "type": "cve", "cve": "CVE-2019-20330"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50542/f17", "id": "pyup.io-50542", "type": "cve", "cve": "CVE-2018-19361"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50544/f17", "id": "pyup.io-50544", "type": "cve", "cve": "CVE-2018-11307"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50545/f17", "id": "pyup.io-50545", "type": "cve", "cve": "CVE-2018-14719"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50550/f17", "id": "pyup.io-50550", "type": "cve", "cve": "CVE-2020-10673"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'postgresql' to v42.3.4 to include security fixes.", "transitive": true, "more_info_path": "/v/50556/f17", "id": "pyup.io-50556", "type": "cve", "cve": "CVE-2022-21724"}, {"specs": ["<3.1.0"], "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that fixes a vulnerability in LDAP login.\r\nhttps://github.com/apache/dolphinscheduler/commit/17a9dd25fa0e80b048394f79db130f56eb8ef72f", "transitive": true, "more_info_path": "/v/51292/f17", "id": "pyup.io-51292", "type": "pve", "cve": "PVE-2022-51292"}, {"specs": ["<3.1.0"], "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'hadoop' to v2.7.7 to include security fixes.", "transitive": true, "more_info_path": "/v/51305/f17", "id": "pyup.io-51305", "type": "cve", "cve": "CVE-2017-15718"}, {"specs": ["<3.1.0"], "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'cron-utils' to v9.1.6 to include a security fix.", "transitive": true, "more_info_path": "/v/51307/f17", "id": "pyup.io-51307", "type": "cve", "cve": "CVE-2021-41269"}, {"specs": ["<3.1.0"], "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'h2' to v2.1.210 to include security fixes.", "transitive": true, "more_info_path": "/v/51308/f17", "id": "pyup.io-51308", "type": "cve", "cve": "CVE-2022-23221"}, {"specs": ["<3.1.0"], "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'postgresql' to v42.4.1 to include a security fix.", "transitive": true, "more_info_path": "/v/51311/f17", "id": "pyup.io-51311", "type": "cve", "cve": "CVE-2022-31197"}, {"specs": ["<3.1.0"], "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'hive-jdbc' to v2.3.3 to include a security fix.", "transitive": true, "more_info_path": "/v/51312/f17", "id": "pyup.io-51312", "type": "cve", "cve": "CVE-2018-1282"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50539/f17", "id": "pyup.io-50539", "type": "cve", "cve": "CVE-2019-17531"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'logback' to v1.2.11 to include a security fix.", "transitive": true, "more_info_path": "/v/50559/f17", "id": "pyup.io-50559", "type": "cve", "cve": "CVE-2021-42550"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 requires as a Maven dependency 'jackson-databind' v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/49230/f17", "id": "pyup.io-49230", "type": "cve", "cve": "CVE-2020-36189"}, {"specs": ["<3.0.0beta1"], "advisory": "Apache-dolphinscheduler 3.0.0beta1 requires as a Maven dependency 'jackson-databind' v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/49232/f17", "id": "pyup.io-49232", "type": "cve", "cve": "CVE-2020-35490"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50551/f17", "id": "pyup.io-50551", "type": "cve", "cve": "CVE-2020-11111"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50525/f17", "id": "pyup.io-50525", "type": "cve", "cve": "CVE-2020-9547"}, {"specs": ["<3.1.0"], "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'hadoop' to v2.7.7 to include security fixes.", "transitive": true, "more_info_path": "/v/51306/f17", "id": "pyup.io-51306", "type": "cve", "cve": "CVE-2018-8009"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50553/f17", "id": "pyup.io-50553", "type": "cve", "cve": "CVE-2020-10968"}, {"specs": ["<3.1.0"], "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'h2' to v2.1.210 to include security fixes.", "transitive": true, "more_info_path": "/v/51309/f17", "id": "pyup.io-51309", "type": "cve", "cve": "CVE-2021-42392"}, {"specs": ["<3.0.0"], "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "transitive": true, "more_info_path": "/v/50547/f17", "id": "pyup.io-50547", "type": "cve", "cve": "CVE-2018-14721"}, {"specs": [">=0,<2.0.5"], "advisory": "Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks. Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.", "transitive": false, "more_info_path": "/v/54431/f17", "id": "pyup.io-54431", "type": "cve", "cve": "CVE-2022-25598"}], "django-tastypie": [{"specs": ["<0.9.10"], "advisory": "The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.", "transitive": false, "more_info_path": "/v/25794/f17", "id": "pyup.io-25794", "type": "cve", "cve": "CVE-2011-4104"}], "django-revproxy": [{"specs": ["<0.9.7"], "advisory": "Django-revproxy 0.9.7 fixes a security issue: when colon is present at URL path urljoin, it ignores the upstream and the request is redirected to the path itself, allowing content injection.", "transitive": false, "more_info_path": "/v/25784/f17", "id": "pyup.io-25784", "type": "pve", "cve": "PVE-2021-25784"}, {"specs": ["<0.9.6"], "advisory": "Django-revproxy 0.9.6 fixes a security issue that allowed remote-user header injection.\r\nhttps://github.com/jazzband/django-revproxy/commit/0ce23b632fc7c1b4cb5f5e03077b45e6ece802e6", "transitive": false, "more_info_path": "/v/25783/f17", "id": "pyup.io-25783", "type": "pve", "cve": "PVE-2021-25783"}], "supabase": [{"specs": ["<0.7.1"], "advisory": "Supabase 0.7.1 updates its dependency 'httpx' to v0.23.0 to include a security fix.", "transitive": true, "more_info_path": "/v/52976/f17", "id": "pyup.io-52976", "type": "cve", "cve": "CVE-2021-41945"}], "pydal": [{"specs": ["<15.02.27"], "advisory": "pydal before 15.02.27 has a security flaw which could lead to db password storing in cache.", "transitive": false, "more_info_path": "/v/33022/f17", "id": "pyup.io-33022", "type": "pve", "cve": "PVE-2021-33022"}], "djangocms-highlightjs": [{"specs": ["<0.3.1"], "advisory": "Djangocms-highlightjs 0.3.1 escapes code in plugin template.\r\nhttps://github.com/nephila/djangocms-highlightjs/pull/1", "transitive": false, "more_info_path": "/v/25798/f17", "id": "pyup.io-25798", "type": "pve", "cve": "PVE-2021-25798"}], "instawow": [{"specs": ["<1.35.0"], "advisory": "Instawow 1.35.0 improves security by refusing requests to the RPC API which do not originate from the Instawow client (same origin).\r\nhttps://github.com/layday/instawow/commit/478d86bd06819a099c679d4b64d739c0a70080a8", "transitive": false, "more_info_path": "/v/43742/f17", "id": "pyup.io-43742", "type": "pve", "cve": "PVE-2021-43742"}], "djangorestframework": [{"specs": ["<2.4.4"], "advisory": "djangorestframework 2.4.4 fixes a security issue: Escape URLs when replacing `format=` query parameter, as used in dropdown on `GET` button in browsable API to allow explicit selection of JSON vs HTML output.", "transitive": false, "more_info_path": "/v/25802/f17", "id": "pyup.io-25802", "type": "pve", "cve": "PVE-2021-25802"}, {"specs": ["<2.3.14"], "advisory": "Djangorestframework 2.3.14 fixes a security issue. It escapes request path when it is included as part of the login and logout links in the browsable API.", "transitive": false, "more_info_path": "/v/25801/f17", "id": "pyup.io-25801", "type": "pve", "cve": "PVE-2021-25801"}, {"specs": ["<2.3.12"], "advisory": "djangorestframework 2.3.12 fixes a security issue: `OrderingField` now only allows ordering on readable serializer fields, or on fields explicitly specified using `ordering_fields`. This prevents users being able to order by fields that are not visible in the API, and exploiting the ordering of sensitive data such as password hashes.", "transitive": false, "more_info_path": "/v/25800/f17", "id": "pyup.io-25800", "type": "pve", "cve": "PVE-2021-25800"}, {"specs": ["<2.2.1"], "advisory": "djangorestframework 2.2.1 fixes a security issue: Use `defusedxml` package to address XML parsing vulnerabilities.", "transitive": false, "more_info_path": "/v/25799/f17", "id": "pyup.io-25799", "type": "pve", "cve": "PVE-2021-25799"}, {"specs": ["<3.11.2"], "advisory": "A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability.", "transitive": false, "more_info_path": "/v/38841/f17", "id": "pyup.io-38841", "type": "cve", "cve": "CVE-2020-25626"}, {"specs": [">=3.0.0,<3.1.1", "<2.4.5"], "advisory": "Djangorestframework 3.1.1 and 2.4.5 fix a security issue: : Escape tab switching cookie name in browsable API.\r\nhttps://github.com/encode/django-rest-framework/commit/7872d0acbffeea5f4420aae5627f8767c6418ba3", "transitive": false, "more_info_path": "/v/25804/f17", "id": "pyup.io-25804", "type": "pve", "cve": "PVE-2021-25804"}, {"specs": ["<3.9.1"], "advisory": "Djangorestframework 3.9.1 includes a fix for an XSS vulnerability.\r\nhttps://github.com/encode/django-rest-framework/commit/4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8", "transitive": false, "more_info_path": "/v/43472/f17", "id": "pyup.io-43472", "type": "cve", "cve": "CVE-2018-25045"}], "tfx": [{"specs": ["<0.30.0"], "advisory": "Tfx 0.30.0 uses yaml.SafeLoader() to avoid a code execution vulnerability.\r\nhttps://github.com/tensorflow/tfx/commit/2692c9ab437d76b5d9517996bfe2596862e0791d#diff-68603411e5359dc496f3e5d7469be772aaca79b3e6950d4df9bdb616b519d3ce", "transitive": true, "more_info_path": "/v/41395/f17", "id": "pyup.io-41395", "type": "cve", "cve": "CVE-2020-14343"}], "ansible-tower-cli": [{"specs": ["<3.2.0"], "advisory": "Ansible-tower-cli versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-10684: A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684", "transitive": true, "more_info_path": "/v/42865/f17", "id": "pyup.io-42865", "type": "cve", "cve": "CVE-2020-10684"}, {"specs": ["<3.2.0"], "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2020-1735.", "transitive": true, "more_info_path": "/v/42878/f17", "id": "pyup.io-42878", "type": "cve", "cve": "CVE-2020-1735"}, {"specs": ["<3.2.0"], "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2020-1738.", "transitive": true, "more_info_path": "/v/42874/f17", "id": "pyup.io-42874", "type": "cve", "cve": "CVE-2020-1738"}, {"specs": ["<3.2.0"], "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2021-3447.", "transitive": true, "more_info_path": "/v/42861/f17", "id": "pyup.io-42861", "type": "cve", "cve": "CVE-2021-3447"}, {"specs": ["<3.2.0"], "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2020-1736.", "transitive": true, "more_info_path": "/v/42876/f17", "id": "pyup.io-42876", "type": "cve", "cve": "CVE-2020-1736"}, {"specs": ["<3.2.0"], "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2021-3583.", "transitive": true, "more_info_path": "/v/42925/f17", "id": "pyup.io-42925", "type": "cve", "cve": "CVE-2021-358 |
View raw
(Sorry about that, but we can’t show files that are this big right now.)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment