AI Risk Database

Vulnerabilities in Linked Code

0
0

Vulnerability Info

Report Idreport-83dcc481ba994cc1ad1e5b8e0a170530
Vulnerability Typesecurity
Model Namejonatasgrosman/wav2vec2-large-xlsr-53-english
Model Version569a6236e92bd5f7652a0420bfe9bb94c5664080
Created Date2024/06/27
Reported Byindiana-university

Description

Vulnerability Summary

The model jonatasgrosman/wav2vec2-large-xlsr-53-english is associated with a code repository https://github.com/jonatasgrosman/wav2vec2-sprint for which 3 CWEs (including 1 high severity vulnerabilities) were identified. The weaknesses and vulnerabilities listed here are for informational purposes about the model supply chain and may not be explicit in the model itself.

The model associated with jonatasgrosman/wav2vec2-large-xlsr-53-english has been found to have 3 Common Weakness Enumerations (CWEs), including 2 high severity vulnerabilities.

The identified weaknesses include:

  1. CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  2. CWE-259: Use of Hard-coded Password
  3. CWE-703: Improper Check or Handling of Exceptional Conditions

The GitHub repository is linked in the huggingface README.md.

The vulnerabilities were discovered using Semgrep and Bandit.

URL: https://huggingface.co/jonatasgrosman/wav2vec2-large-xlsr-53-english

PURL: pkg:huggingface/jonatasgrosman/wav2vec2-large-xlsr-53-english@569a6236e92bd5f7652a0420bfe9bb94c5664080

SHA: 569a6236e92bd5f7652a0420bfe9bb94c5664080

Author: jonatasgrosman

Tags: ['transformers', 'pytorch', 'jax', 'safetensors', 'wav2vec2', 'automatic-speech-recognition', 'audio', 'en', 'hf-asr-leaderboard', 'mozilla-foundation/common_voice_6_0', 'robust-speech-event', 'speech', 'xlsr-fine-tuning-week', 'dataset:common_voice', 'dataset:mozilla-foundation/common_voice_6_0', 'license:apache-2.0', 'model-index', 'endpoints_compatible', 'has_space', 'region:us']

Downloads: 63753898

Likes: 358

GitHub Link: https://github.com/jonatasgrosman/wav2vec2-sprint

Low Severity Weaknesses: 2

Medium Severity Weaknesses: 0

High Severity Weaknesses: 1

Total Weaknesses Identified: 3

Common Weaknesses Enumerations (CWEs) Identified:

CWEDescriptionURL
CWE - 78 : Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')This could allow attackers to execute unexpected, dangerous commands directly on the operating system. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage. There are at least two subtypes of OS command injection: The application intends to execute a single, fixed program that is under its own control. It intends to use externally-supplied inputs as arguments to that program. For example, the program might use system(nslookup [HOSTNAME]) to run nslookup and allow the user to supply a HOSTNAME, which is used as an argument. Attackers cannot prevent nslookup from executing. However, if the program does not remove command separators from the HOSTNAME argument, attackers could place the separators into the arguments, which allows them to execute their own program after nslookup has finished executing. The application accepts an input that it uses to fully select which program to run, as well as which commands to use. The application simply redirects this entire command to the operating system. For example, the program might use exec([COMMAND]) to execute the [COMMAND] that was supplied by the user. If the COMMAND is under attacker control, then the attacker can execute arbitrary commands or programs. If the command is being executed using functions like exec() and CreateProcess(), the attacker might not be able to combine multiple commands together in the same line. From a weakness standpoint, these variants represent distinct programmer errors. In the first variant, the programmer clearly intends that input from untrusted parties will be part of the arguments in the command to be executed. In the second variant, the programmer does not intend for the command to be accessible to any untrusted party, but the programmer probably has not accounted for alternate ways in which malicious attackers can provide input.78
CWE - 259 : Use of Hard-coded PasswordA hard-coded password typically leads to a significant authentication failure that can be difficult for the system administrator to detect. Once detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely. There are two main variations: Inbound: the product contains an authentication mechanism that checks for a hard-coded password. Outbound: the product connects to another system or component, and it contains hard-coded password for connecting to that component. In the Inbound variant, a default administration account is created, and a simple password is hard-coded into the product and associated with that account. This hard-coded password is the same for each installation of the product, and it usually cannot be changed or disabled by system administrators without manually modifying the program, or otherwise patching the product. If the password is ever discovered or published (a common occurrence on the Internet), then anybody with knowledge of this password can access the product. Finally, since all installations of the product will have the same password, even across different organizations, this enables massive attacks such as worms to take place. The Outbound variant applies to front-end systems that authenticate with a back-end service. The back-end service may require a fixed password which can be easily discovered. The programmer may simply hard-code those back-end credentials into the front-end product. Any user of that program may be able to extract the password. Client-side systems with hard-coded passwords pose even more of a threat, since the extraction of a password from a binary is usually very simple.259
CWE - 703 : Improper Check or Handling of Exceptional ConditionsThe product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.703