onnxruntime icon indicating copy to clipboard operation
onnxruntime copied to clipboard
verified publisher icon microsoft

Fix for 7 vulnerabilities

Open MedoX71T opened this issue 1 year ago • 1 comments

fix one or more vulnerable packages in the `pip` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • tools/ci_build/github/linux/docker/scripts/training/ortmodule/stage2/requirements.txt
⚠️ Warning 
scikit-learn 1.0.2 requires scipy, which is not installed.

Vulnerabilities that will be fixed

By pinning:
Severity Priority Score (*) Issue Upgrade Breaking Change Exploit Maturity
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 NULL Pointer Dereference
SNYK-PYTHON-NUMPY-2321964		 numpy:
1.21.3 -> 1.22.2
No Proof of Concept
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Buffer Overflow
SNYK-PYTHON-NUMPY-2321966		 numpy:
1.21.3 -> 1.22.2
No No Known Exploit
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Denial of Service (DoS)
SNYK-PYTHON-NUMPY-2321970		 numpy:
1.21.3 -> 1.22.2
No Proof of Concept
medium severity 509/1000
Why? Has a fix available, CVSS 5.9		 Regular Expression Denial of Service (ReDoS)
SNYK-PYTHON-SETUPTOOLS-3180412		 setuptools:
40.5.0 -> 65.5.1
No No Known Exploit
high severity /1000
Why?		 Use After Free
SNYK-PYTHON-TORCH-6619806		 torch:
1.13.1 -> 2.2.0
No No Known Exploit
high severity /1000
Why?		 Heap-based Buffer Overflow
SNYK-PYTHON-TORCH-6649934		 torch:
1.13.1 -> 2.2.0
No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-PYTHON-WHEEL-3180413		 wheel:
0.32.2 -> 0.38.0
No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so I will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

For more information: Contact me Bug bounty hunter

Learn how to fix vulnerabilities with free interactive lessons:

🦉 NULL Pointer Dereference 🦉 Regular Expression Denial of Service (ReDoS) 🦉 Use After Free

MedoX71T avatar May 16 '24 02:05 MedoX71T

@wschin , please help review.

snnn avatar May 16 '24 15:05 snnn