Vulnerabilities in Linked Code
0
0
Vulnerability Info
Report Idreport-585c08158f7e4bb3819993b98ade7f4f
Vulnerability Typesecurity
Model Version7ee122cf0e871ba6fca2a826fad988218169fd29
Created Date2024/06/27
Reported Byindiana-university
Description
Vulnerability Summary
The model fathyshalab/massive_iot-roberta-large-v1-5-5 is associated with a code repository https://github.com/huggingface/setfit for which 251 CWEs (including 2 high severity vulnerabilities) were identified. The weaknesses and vulnerabilities listed here are for informational purposes about the model supply chain and may not be explicit in the model itself.
The model associated with fathyshalab/massive_iot-roberta-large-v1-5-5 has been found to have 6 Common Weakness Enumerations (CWEs), including 2 high severity vulnerabilities.
The identified weaknesses include:
- CWE-676: Use of Potentially Dangerous Function
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-502: Deserialization of Untrusted Data
- CWE-703: Improper Check or Handling of Exceptional Conditions
- CWE-330: Use of Insufficiently Random Values
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The GitHub repository is linked in the huggingface README.md.
The vulnerabilities were discovered using Semgrep and Bandit.
URL: https://huggingface.co/fathyshalab/massive_iot-roberta-large-v1-5-5
PURL: pkg:huggingface/fathyshalab/massive_iot-roberta-large-v1-5-5@7ee122cf0e871ba6fca2a826fad988218169fd29
SHA: 7ee122cf0e871ba6fca2a826fad988218169fd29
Author: fathyshalab
Tags: ['sentence-transformers', 'pytorch', 'roberta', 'setfit', 'text-classification', 'arxiv:2209.11055', 'license:apache-2.0', 'region:us']
Downloads: 0
Likes: 0
GitHub Link: https://github.com/huggingface/setfit
Low Severity Weaknesses: 245
Medium Severity Weaknesses: 4
High Severity Weaknesses: 2
Total Weaknesses Identified: 251
Common Weaknesses Enumerations (CWEs) Identified:
| CWE | Description | URL |
|---|---|---|
| CWE - 676 : Use of Potentially Dangerous Function | The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely. | 676 |
| CWE - 22 : Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | Many file operations are intended to take place within a restricted directory. By using special elements such as .. and / separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the ../ sequence, which in most modern operating systems is interpreted as the parent directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames such as /usr/local/bin, which may also be useful in accessing unexpected files. This is referred to as absolute path traversal. In many programming languages, the injection of a null byte (the 0 or NUL) may allow an attacker to truncate a generated filename to widen the scope of attack. For example, the product may add .txt to any pathname, thus limiting the attacker to text files, but a null injection may effectively remove this restriction. | 22 |
| CWE - 502 : Deserialization of Untrusted Data | It is often convenient to serialize objects for communication or to save them for later use. However, deserialized data or code can often be modified without using the provided accessor functions if it does not use cryptography to protect itself. Furthermore, any cryptography would still be client-side security -- which is a dangerous security assumption. Data that is untrusted can not be trusted to be well-formed. When developers place no restrictions on gadget chains, or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions, like generating a shell. | 502 |
| CWE - 703 : Improper Check or Handling of Exceptional Conditions | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. | 703 |
| CWE - 330 : Use of Insufficiently Random Values | When product generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. | 330 |
| CWE - 78 : Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | This could allow attackers to execute unexpected, dangerous commands directly on the operating system. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage. There are at least two subtypes of OS command injection: The application intends to execute a single, fixed program that is under its own control. It intends to use externally-supplied inputs as arguments to that program. For example, the program might use system(nslookup [HOSTNAME]) to run nslookup and allow the user to supply a HOSTNAME, which is used as an argument. Attackers cannot prevent nslookup from executing. However, if the program does not remove command separators from the HOSTNAME argument, attackers could place the separators into the arguments, which allows them to execute their own program after nslookup has finished executing. The application accepts an input that it uses to fully select which program to run, as well as which commands to use. The application simply redirects this entire command to the operating system. For example, the program might use exec([COMMAND]) to execute the [COMMAND] that was supplied by the user. If the COMMAND is under attacker control, then the attacker can execute arbitrary commands or programs. If the command is being executed using functions like exec() and CreateProcess(), the attacker might not be able to combine multiple commands together in the same line. From a weakness standpoint, these variants represent distinct programmer errors. In the first variant, the programmer clearly intends that input from untrusted parties will be part of the arguments in the command to be executed. In the second variant, the programmer does not intend for the command to be accessible to any untrusted party, but the programmer probably has not accounted for alternate ways in which malicious attackers can provide input. | 78 |
| CWE - 89 : Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands. SQL injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or product package with even a minimal user base is likely to be subject to an attempted attack of this kind. This flaw depends on the fact that SQL makes no real distinction between the control and data planes. | 89 |