Lucene search

GoogleOSV:BIT-MXNET-2022-24294

HistoryNov 06, 2023 - 8:56 a.m.

BIT-mxnet-2022-24294

2023-11-0608:56:03

Google

osv.dev

apache mxnet

regular expression

vulnerability

denial-of-service

resource consumption

model loading

specially crafted

operator name

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

38.4%

JSON

A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular expression evaluation to use excessive resources to attempt a match. This issue affects Apache MXNet versions prior to 1.9.1.

References

www.openwall.com/lists/oss-security/2022/07/24/2

lists.apache.org/thread/b1fbfmvzlr2bbp95lqoh3mtovclfcl3o

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

38.4%

JSON

Related for OSV:BIT-MXNET-2022-24294