PaddlePaddle vulnerable to code injection via winstr

GHSA-83g7-8fch-p37m · CVE-2022-45908

Published Nov 26, 2022 · Modified Nov 8, 2023

Description

In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vulnerable to code injection because it calls eval on a user-supplied winstr. This may lead to arbitrary code execution.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-45908
WEB https://github.com/PaddlePaddle/Paddle/commit/26c419ca386aeae3c461faf2b828d00b48e908eb
PACKAGE https://github.com/PaddlePaddle/Paddle
WEB https://github.com/PaddlePaddle/Paddle/blob/develop/security/advisory/pdsa-2022-002.md

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes