Vulnerability Details : CVE-2023-2970

A vulnerability classified as problematic was found in MindSpore 2.0.0-alpha/2.0.0-rc1. This vulnerability affects the function JsonHelper::UpdateArray of the file mindspore/ccsrc/minddata/dataset/util/json_helper.cc. The manipulation leads to memory corruption. The name of the patch is 30f4729ea2c01e1ed437ba92a81e2fc098d608a9. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-230176.

Vulnerability category: OverflowMemory Corruption

Published 2023-05-30 06:16:31

Updated 2023-06-05 18:01:59

Source VulDB

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2023-2970

Probability of exploitation activity in the next 30 days: 0.08%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 31 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2023-2970

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
2.7	LOW	AV:A/AC:L/Au:S/C:N/I:N/A:P	5.1	2.9	cna@vuldb.com
Access Vector: Adjacent Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
3.5	LOW	CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L	2.1	1.4	cna@vuldb.com
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	2.8	3.6	nvd@nist.gov
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2023-2970

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: cna@vuldb.com (Primary)

References for CVE-2023-2970

https://gitee.com/mindspore/mindspore/issues/I73DOS

【MD】【FUZZ】UpdateArray算子，存在coredump的情况 · Issue #I73DOS · MindSpore/mindspore - Gitee
Issue Tracking;Third Party Advisory
https://vuldb.com/?id.230176

CVE-2023-2970: MindSpore json_helper.cc UpdateArray memory corruption (I73DOS)
Permissions Required
https://vuldb.com/?ctiid.230176

CVE-2023-2970: MindSpore json_helper.cc UpdateArray memory corruption (I73DOS)
Permissions Required
https://gitee.com/mindspore/mindspore/commit/30f4729ea2c01e1ed437ba92a81e2fc098d608a9

Login - Gitee
Permissions Required

Products affected by CVE-2023-2970

Mindspore » Mindspore » Version: 2.0.0 Update RC1
cpe:2.3:a:mindspore:mindspore:2.0.0:rc1:*:*:*:*:*:*
Matching versions
Mindspore » Mindspore » Version: 2.0.0 Update Alpha
cpe:2.3:a:mindspore:mindspore:2.0.0:alpha:*:*:*:*:*:*
Matching versions