Lucene search

GitHub Advisory DatabaseGHSA-XXJ3-55P6-XG3H

HistoryJul 25, 2022 - 12:00 a.m.

Apache MXNet vulnerable to potential denial-of-service by excessive resource consumption

2022-07-2500:00:31

CWE-400

GitHub Advisory Database

github.com

apache

mxnet

denial-of-service

vulnerability

regular expression

resource consumption

bug

model

operator

version 1.9.1

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

38.4%

JSON

A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular expression evaluation to use excessive resources to attempt a match. This issue affects Apache MXNet versions prior to 1.9.1.

Affected configurations

Vulners

Node

apachemxnetRange<1.9.1

VendorProductVersionCPE
apachemxnet*cpe:2.3:a:apache:mxnet:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	mxnet	*	cpe:2.3:a:apache:mxnet::::::::

References

www.openwall.com/lists/oss-security/2022/07/24/2

github.com/advisories/GHSA-xxj3-55p6-xg3h

github.com/apache/mxnet/releases/tag/1.9.1

lists.apache.org/thread/b1fbfmvzlr2bbp95lqoh3mtovclfcl3o

nvd.nist.gov/vuln/detail/CVE-2022-24294

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

38.4%

JSON

Related for GHSA-XXJ3-55P6-XG3H