Search criteria
4 vulnerabilities found for Apache MXNet by Apache Software Foundation
CVE-2022-24294 (GCVE-0-2022-24294)
Vulnerability from nvd – Published: 2022-07-24 17:45 – Updated: 2024-08-03 04:07
VLAI
Title
ReDoS in Apache MXNet RTC Module
Summary
A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular expression evaluation to use excessive resources to attempt a match. This issue affects Apache MXNet versions prior to 1.9.1.
Severity
No CVSS data available.
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/b1fbfmvzlr2bbp95l… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2022/07/24/2 | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache MXNet |
Affected:
unspecified , < 1.9.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:07:02.340Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/b1fbfmvzlr2bbp95lqoh3mtovclfcl3o"
},
{
"name": "[oss-security] 20220724 CVE-2022-24294: ReDoS in Apache MXNet RTC Module",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/24/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache MXNet",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache MXNet would like to thank Dwi Siswanto for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular expression evaluation to use excessive resources to attempt a match. This issue affects Apache MXNet versions prior to 1.9.1."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-24T20:06:12.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/b1fbfmvzlr2bbp95lqoh3mtovclfcl3o"
},
{
"name": "[oss-security] 20220724 CVE-2022-24294: ReDoS in Apache MXNet RTC Module",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/24/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-25T00:00:00.000Z",
"value": "reported"
},
{
"lang": "en",
"time": "2022-01-17T00:00:00.000Z",
"value": "fix merged into master branch"
},
{
"lang": "en",
"time": "2022-01-27T00:00:00.000Z",
"value": "fix merged into v1.x, v1.9.x branches"
},
{
"lang": "en",
"time": "2022-05-27T00:00:00.000Z",
"value": "Apache MXNet (incubating) 1.9.1 released which contains fix."
}
],
"title": "ReDoS in Apache MXNet RTC Module",
"workarounds": [
{
"lang": "en",
"value": "Users that depend on MXNet 1.x are advised to upgrade to MXNet\u003e=1.9.1,\u003c2"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-24294",
"STATE": "PUBLIC",
"TITLE": "ReDoS in Apache MXNet RTC Module"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache MXNet",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.9.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache MXNet would like to thank Dwi Siswanto for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular expression evaluation to use excessive resources to attempt a match. This issue affects Apache MXNet versions prior to 1.9.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/b1fbfmvzlr2bbp95lqoh3mtovclfcl3o",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/b1fbfmvzlr2bbp95lqoh3mtovclfcl3o"
},
{
"name": "[oss-security] 20220724 CVE-2022-24294: ReDoS in Apache MXNet RTC Module",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/07/24/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-25T00:00:00.000Z",
"value": "reported"
},
{
"lang": "en",
"time": "2022-01-17T00:00:00.000Z",
"value": "fix merged into master branch"
},
{
"lang": "en",
"time": "2022-01-27T00:00:00.000Z",
"value": "fix merged into v1.x, v1.9.x branches"
},
{
"lang": "en",
"time": "2022-05-27T00:00:00.000Z",
"value": "Apache MXNet (incubating) 1.9.1 released which contains fix."
}
],
"work_around": [
{
"lang": "en",
"value": "Users that depend on MXNet 1.x are advised to upgrade to MXNet\u003e=1.9.1,\u003c2"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-24294",
"datePublished": "2022-07-24T17:45:12.000Z",
"dateReserved": "2022-02-01T00:00:00.000Z",
"dateUpdated": "2024-08-03T04:07:02.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1281 (GCVE-0-2018-1281)
Vulnerability from nvd – Published: 2018-06-08 19:00 – Updated: 2024-09-17 00:26
VLAI
Summary
The clustered setup of Apache MXNet allows users to specify which IP address and port the scheduler will listen on via the DMLC_PS_ROOT_URI and DMLC_PS_ROOT_PORT env variables. In versions older than 1.0.0, however, the MXNet framework will listen on 0.0.0.0 rather than user specified DMLC_PS_ROOT_URI once a scheduler node is initialized. This exposes the instance running MXNet to any attackers reachable via the interface they didn't expect to be listening on. For example: If a user wants to run a clustered setup locally, they may specify to run on 127.0.0.1. But since MXNet will listen on 0.0.0.0, it makes the port accessible on all network interfaces.
Severity
No CVSS data available.
CWE
- Allows unauthorized access
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/dmlc/ps-lite/commit/4be817e8b0… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache MXNet |
Affected:
versions older than 1.0.0
|
Date Public
2018-01-02 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dmlc/ps-lite/commit/4be817e8b03e7e92517e91f2dfcc50865e91c6ea"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache MXNet",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "versions older than 1.0.0"
}
]
}
],
"datePublic": "2018-01-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The clustered setup of Apache MXNet allows users to specify which IP address and port the scheduler will listen on via the DMLC_PS_ROOT_URI and DMLC_PS_ROOT_PORT env variables. In versions older than 1.0.0, however, the MXNet framework will listen on 0.0.0.0 rather than user specified DMLC_PS_ROOT_URI once a scheduler node is initialized. This exposes the instance running MXNet to any attackers reachable via the interface they didn\u0027t expect to be listening on. For example: If a user wants to run a clustered setup locally, they may specify to run on 127.0.0.1. But since MXNet will listen on 0.0.0.0, it makes the port accessible on all network interfaces."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Allows unauthorized access",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-08T18:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dmlc/ps-lite/commit/4be817e8b03e7e92517e91f2dfcc50865e91c6ea"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-01-02T00:00:00",
"ID": "CVE-2018-1281",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache MXNet",
"version": {
"version_data": [
{
"version_value": "versions older than 1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The clustered setup of Apache MXNet allows users to specify which IP address and port the scheduler will listen on via the DMLC_PS_ROOT_URI and DMLC_PS_ROOT_PORT env variables. In versions older than 1.0.0, however, the MXNet framework will listen on 0.0.0.0 rather than user specified DMLC_PS_ROOT_URI once a scheduler node is initialized. This exposes the instance running MXNet to any attackers reachable via the interface they didn\u0027t expect to be listening on. For example: If a user wants to run a clustered setup locally, they may specify to run on 127.0.0.1. But since MXNet will listen on 0.0.0.0, it makes the port accessible on all network interfaces."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Allows unauthorized access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/dmlc/ps-lite/commit/4be817e8b03e7e92517e91f2dfcc50865e91c6ea",
"refsource": "CONFIRM",
"url": "https://github.com/dmlc/ps-lite/commit/4be817e8b03e7e92517e91f2dfcc50865e91c6ea"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1281",
"datePublished": "2018-06-08T19:00:00.000Z",
"dateReserved": "2017-12-07T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:26:46.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24294 (GCVE-0-2022-24294)
Vulnerability from cvelistv5 – Published: 2022-07-24 17:45 – Updated: 2024-08-03 04:07
VLAI
Title
ReDoS in Apache MXNet RTC Module
Summary
A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular expression evaluation to use excessive resources to attempt a match. This issue affects Apache MXNet versions prior to 1.9.1.
Severity
No CVSS data available.
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/b1fbfmvzlr2bbp95l… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2022/07/24/2 | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache MXNet |
Affected:
unspecified , < 1.9.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:07:02.340Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/b1fbfmvzlr2bbp95lqoh3mtovclfcl3o"
},
{
"name": "[oss-security] 20220724 CVE-2022-24294: ReDoS in Apache MXNet RTC Module",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/24/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache MXNet",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache MXNet would like to thank Dwi Siswanto for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular expression evaluation to use excessive resources to attempt a match. This issue affects Apache MXNet versions prior to 1.9.1."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-24T20:06:12.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/b1fbfmvzlr2bbp95lqoh3mtovclfcl3o"
},
{
"name": "[oss-security] 20220724 CVE-2022-24294: ReDoS in Apache MXNet RTC Module",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/24/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-25T00:00:00.000Z",
"value": "reported"
},
{
"lang": "en",
"time": "2022-01-17T00:00:00.000Z",
"value": "fix merged into master branch"
},
{
"lang": "en",
"time": "2022-01-27T00:00:00.000Z",
"value": "fix merged into v1.x, v1.9.x branches"
},
{
"lang": "en",
"time": "2022-05-27T00:00:00.000Z",
"value": "Apache MXNet (incubating) 1.9.1 released which contains fix."
}
],
"title": "ReDoS in Apache MXNet RTC Module",
"workarounds": [
{
"lang": "en",
"value": "Users that depend on MXNet 1.x are advised to upgrade to MXNet\u003e=1.9.1,\u003c2"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-24294",
"STATE": "PUBLIC",
"TITLE": "ReDoS in Apache MXNet RTC Module"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache MXNet",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.9.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache MXNet would like to thank Dwi Siswanto for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular expression evaluation to use excessive resources to attempt a match. This issue affects Apache MXNet versions prior to 1.9.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/b1fbfmvzlr2bbp95lqoh3mtovclfcl3o",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/b1fbfmvzlr2bbp95lqoh3mtovclfcl3o"
},
{
"name": "[oss-security] 20220724 CVE-2022-24294: ReDoS in Apache MXNet RTC Module",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/07/24/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2021-11-25T00:00:00.000Z",
"value": "reported"
},
{
"lang": "en",
"time": "2022-01-17T00:00:00.000Z",
"value": "fix merged into master branch"
},
{
"lang": "en",
"time": "2022-01-27T00:00:00.000Z",
"value": "fix merged into v1.x, v1.9.x branches"
},
{
"lang": "en",
"time": "2022-05-27T00:00:00.000Z",
"value": "Apache MXNet (incubating) 1.9.1 released which contains fix."
}
],
"work_around": [
{
"lang": "en",
"value": "Users that depend on MXNet 1.x are advised to upgrade to MXNet\u003e=1.9.1,\u003c2"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-24294",
"datePublished": "2022-07-24T17:45:12.000Z",
"dateReserved": "2022-02-01T00:00:00.000Z",
"dateUpdated": "2024-08-03T04:07:02.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1281 (GCVE-0-2018-1281)
Vulnerability from cvelistv5 – Published: 2018-06-08 19:00 – Updated: 2024-09-17 00:26
VLAI
Summary
The clustered setup of Apache MXNet allows users to specify which IP address and port the scheduler will listen on via the DMLC_PS_ROOT_URI and DMLC_PS_ROOT_PORT env variables. In versions older than 1.0.0, however, the MXNet framework will listen on 0.0.0.0 rather than user specified DMLC_PS_ROOT_URI once a scheduler node is initialized. This exposes the instance running MXNet to any attackers reachable via the interface they didn't expect to be listening on. For example: If a user wants to run a clustered setup locally, they may specify to run on 127.0.0.1. But since MXNet will listen on 0.0.0.0, it makes the port accessible on all network interfaces.
Severity
No CVSS data available.
CWE
- Allows unauthorized access
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/dmlc/ps-lite/commit/4be817e8b0… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache MXNet |
Affected:
versions older than 1.0.0
|
Date Public
2018-01-02 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dmlc/ps-lite/commit/4be817e8b03e7e92517e91f2dfcc50865e91c6ea"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache MXNet",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "versions older than 1.0.0"
}
]
}
],
"datePublic": "2018-01-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The clustered setup of Apache MXNet allows users to specify which IP address and port the scheduler will listen on via the DMLC_PS_ROOT_URI and DMLC_PS_ROOT_PORT env variables. In versions older than 1.0.0, however, the MXNet framework will listen on 0.0.0.0 rather than user specified DMLC_PS_ROOT_URI once a scheduler node is initialized. This exposes the instance running MXNet to any attackers reachable via the interface they didn\u0027t expect to be listening on. For example: If a user wants to run a clustered setup locally, they may specify to run on 127.0.0.1. But since MXNet will listen on 0.0.0.0, it makes the port accessible on all network interfaces."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Allows unauthorized access",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-08T18:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dmlc/ps-lite/commit/4be817e8b03e7e92517e91f2dfcc50865e91c6ea"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-01-02T00:00:00",
"ID": "CVE-2018-1281",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache MXNet",
"version": {
"version_data": [
{
"version_value": "versions older than 1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The clustered setup of Apache MXNet allows users to specify which IP address and port the scheduler will listen on via the DMLC_PS_ROOT_URI and DMLC_PS_ROOT_PORT env variables. In versions older than 1.0.0, however, the MXNet framework will listen on 0.0.0.0 rather than user specified DMLC_PS_ROOT_URI once a scheduler node is initialized. This exposes the instance running MXNet to any attackers reachable via the interface they didn\u0027t expect to be listening on. For example: If a user wants to run a clustered setup locally, they may specify to run on 127.0.0.1. But since MXNet will listen on 0.0.0.0, it makes the port accessible on all network interfaces."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Allows unauthorized access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/dmlc/ps-lite/commit/4be817e8b03e7e92517e91f2dfcc50865e91c6ea",
"refsource": "CONFIRM",
"url": "https://github.com/dmlc/ps-lite/commit/4be817e8b03e7e92517e91f2dfcc50865e91c6ea"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1281",
"datePublished": "2018-06-08T19:00:00.000Z",
"dateReserved": "2017-12-07T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:26:46.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}