Deeplearning4J 1.0.0-M2.1 S3 Bucket Disclosure Vulnerability
CVE-2022-36022 Published on November 10, 2022

Some Deeplearning4J packages use unclaimed s3 bucket in tests and examples
Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-M2.1 may use some unclaimed S3 buckets in tests in examples. This is likely affect people who use some older NLP examples that reference an old S3 bucket. The problem has been patched. Users should upgrade to snapshots as Deeplearning4J plan to publish a release with the fix at a later date. As a workaround, download a word2vec google news vector from a new source using git lfs from here.

Github Repository NVD

Vulnerability Analysis

CVE-2022-36022 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

Use of Invariant Value in Dynamically Changing Context

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.


Products Associated with CVE-2022-36022

Want to know whenever a new CVE is published for Eclipse Deeplearning4j? stack.watch will email you.

Eclipse Deeplearning4j
 

Affected Versions

eclipse deeplearning4j Version <= 1.0.0-M2.1 is affected by CVE-2022-36022

Vulnerable Packages

The following package name and versions may be associated with CVE-2022-36022

Package Manager Vulnerable Package Versions Fixed In
maven org.deeplearning4j:platform-tests <= 1.0.0-M2.1
maven org.deeplearning4j:dl4j-examples <= 1.0.0-M2.1

Exploit Probability

EPSS
0.36%
Percentile
58.15%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.