Skip to main content

Paddlepaddle CVE-2023-38669

CRITICAL
Use After Free (CWE-416)
2023-07-26 paddle-security@baidu.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 26, 2023 - 10:15 nvd
CRITICAL 9.8

DescriptionNVD

Use after free in paddle.diagonal in PaddlePaddle before 2.5.0. This resulted in a potentially exploitable condition.

AnalysisAI

Use after free in paddle.diagonal in PaddlePaddle before 2.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Use After Free (CWE-416), which allows attackers to access freed memory to execute arbitrary code or crash the application. Use after free in paddle.diagonal in PaddlePaddle before 2.5.0. This resulted in a potentially exploitable condition. Affected products include: Paddlepaddle. Version information: before 2.5.0..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use smart pointers or garbage-collected languages. Set pointers to NULL after freeing. Enable memory sanitizers.

CVE-2024-0917 CRITICAL POC
9.8 Mar 07

remote code execution in paddlepaddle/paddle 2.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely e

CVE-2023-38673 CRITICAL POC
9.8 Jul 26

PaddlePaddle before 2.5.0 has a command injection in fs.py. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-38671 CRITICAL POC
9.8 Jul 26

Heap buffer overflow in paddle.trace in PaddlePaddle before 2.5.0. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2022-46742 CRITICAL POC
9.8 Dec 07

Code injection in paddle.audio.functional.get_window in PaddlePaddle 2.4.0-rc0 allows arbitrary code execution. Rated cr

CVE-2022-45908 CRITICAL POC
9.8 Nov 26

In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vulnerable to code injection because it calls eval on

CVE-2024-0818 CRITICAL POC
9.1 Mar 07

Arbitrary File Overwrite Via Path Traversal in paddlepaddle/paddle before 2.6. Rated critical severity (CVSS 9.1), this

CVE-2022-46741 CRITICAL POC
9.1 Dec 07

Out-of-bounds read in gather_tree in PaddlePaddle before 2.4. Rated critical severity (CVSS 9.1), this vulnerability is

CVE-2024-0815 HIGH POC
8.8 Mar 07

Command injection in paddle.utils.download._wget_download (bypass filter) in paddlepaddle/paddle 2.6.0. Rated high sever

CVE-2024-0817 HIGH POC
7.8 Mar 07

Command injection in IrGraph.draw in paddlepaddle/paddle 2.6.0. Rated high severity (CVSS 7.8), this vulnerability is lo

CVE-2024-1603 HIGH POC
7.5 Mar 23

paddlepaddle/paddle 2.6.0 allows arbitrary file read via paddle.vision.ops.read_file. Rated high severity (CVSS 7.5), th

CVE-2023-38672 HIGH POC
7.5 Jul 26

FPE in paddle.trace in PaddlePaddle before 2.5.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploit

CVE-2023-38670 HIGH POC
7.5 Jul 26

Null pointer dereference in paddle.flip in PaddlePaddle before 2.5.0. Rated high severity (CVSS 7.5), this vulnerability

Share

CVE-2023-38669 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy