CVE-2022-36022 : Deeplearning4J is a suite of tools for deploying and training deep learning mode

Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-M2.1 may use some unclaimed S3 buckets in tests in examples. This is likely affect people who use some older NLP examples that reference an old S3 bucket. The problem has been patched. Users should upgrade to snapshots as Deeplearning4J plan to publish a release with the fix at a later date. As a workaround, download a word2vec google news vector from a new source using git lfs from here.

Published 2022-11-10 18:15:11

Updated 2022-11-15 20:27:45

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2022-36022

Eclipse » Deeplearning4j
Versions before (<) 1.0.0
cpe:2.3:a:eclipse:deeplearning4j:*:*:*:*:*:*:*:*
Matching versions
Eclipse » Deeplearning4j » Version: 1.0.0 Update Milestone1
cpe:2.3:a:eclipse:deeplearning4j:1.0.0:milestone1:*:*:*:*:*:*
Matching versions
Eclipse » Deeplearning4j » Version: 1.0.0 Update Milestone1.1
cpe:2.3:a:eclipse:deeplearning4j:1.0.0:milestone1.1:*:*:*:*:*:*
Matching versions
Eclipse » Deeplearning4j » Version: 1.0.0 Update Milestone2
cpe:2.3:a:eclipse:deeplearning4j:1.0.0:milestone2:*:*:*:*:*:*
Matching versions
Eclipse » Deeplearning4j » Version: 1.0.0 Update Beta6
cpe:2.3:a:eclipse:deeplearning4j:1.0.0:beta6:*:*:*:*:*:*
Matching versions
Eclipse » Deeplearning4j » Version: 1.0.0 Update Beta7
cpe:2.3:a:eclipse:deeplearning4j:1.0.0:beta7:*:*:*:*:*:*
Matching versions
Eclipse » Deeplearning4j » Version: 1.0.0 Update Beta5
cpe:2.3:a:eclipse:deeplearning4j:1.0.0:beta5:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-36022

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 20 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-36022

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2022-36022

CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Assigned by: nvd@nist.gov (Primary)
CWE-344 Use of Invariant Value in Dynamically Changing Context

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

Assigned by: security-advisories@github.com (Secondary)

References for CVE-2022-36022

https://github.com/eclipse/deeplearning4j/security/advisories/GHSA-rc39-g977-687w

Use of unclaimed s3 bucket in tests and examples · Advisory · deeplearning4j/deeplearning4j · GitHub
Third Party Advisory
https://github.com/mmihaltz/word2vec-GoogleNews-vectors

GitHub - mmihaltz/word2vec-GoogleNews-vectors: word2vec Google News model
Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-36022

Products affected by CVE-2022-36022

Exploit prediction scoring system (EPSS) score for CVE-2022-36022

CVSS scores for CVE-2022-36022

CWE ids for CVE-2022-36022

References for CVE-2022-36022