CVE-2020-5215: In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format…

CVE-2020-5215 [LOW] CWE-754 Segmentation faultin TensorFlow when converting a Python string to `tf.float16` Segmentation faultin TensorFlow when converting a Python string to `tf.float16` ### Impact Converting a string (from Python) to a `tf.float16` value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a `tf.float16` value. Similar effects can be obtained by manipulating saved models and checkpoints whereby replacing a scalar `tf.float16` value with a scalar string will trigger this issue due to automatic conversions. This can be easily reproduced by `tf.constant("hello", tf.float16)`, if eager execution is enabled. ### Patches We have patched the vulnerability in GitHub commit [5

CVE-2020-5215 CVE-2020-5215: In TensorFlow before 1 In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a tf.float16 value. Similar effects can be obtained by manipulating saved models and checkpoints whereby replacing a scalar tf.float16 value with a scalar string will trigger this issue due to automatic conversions. This can be easily reproduced by tf.constant("hello", tf.float16), if eager execution is enabled. This issue is patched in TensorFlow 1.15.1 and 2.0.1 with this vulnerability patched. TensorFlow 2.1.0 was released after we fixed

CVE-2020-5215 [LOW] Segmentation faultin TensorFlow when converting a Python string to `tf.float16` Segmentation faultin TensorFlow when converting a Python string to `tf.float16` ### Impact Converting a string (from Python) to a `tf.float16` value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a `tf.float16` value. Similar effects can be obtained by manipulating saved models and checkpoints whereby replacing a scalar `tf.float16` value with a scalar string will trigger this issue due to automatic conversions. This can be easily reproduced by `tf.constant("hello", tf.float16)`, if eager execution is enabled. ### Patches We have patched the vulnerability in GitHub commit [5

CVE-2020-5215 [MEDIUM] CVE-2020-5215: tensorflow - In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to a tf... In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a tf.float16 value. Similar effects can be obtained by manipulating saved models and checkpoints whereby replacing a scalar tf.float16 value with a scalar string will trigger this issue due to automatic conversions. This can be easily reproduced by tf.constant("hello", tf.float16), if eager execution is enabled. This issue is patched in TensorFlow 1.15.1 and 2.0.1 with this vulnerability patched. TensorFlow 2.1.0 was released after we fixed

APILOT: Navigating Large Language Models to Generate Secure Code by Sidestepping Outdated API Pitfalls APILOT: Navigating Large Language Models to Generate Secure Code by Sidestepping Outdated API Pitfalls plain Rev. \ of LastPage Weiheng Bai1, Keyang Xuan2, Pengxiang Huang3, Qiushi Wu4, Jianing Wen1, Jingjing Wu1 and Kangjie Lu1 1University of Minnesota - Twin Cities2University of Illinois Urbana-Champaign3Northwestern University4IBM Research \bai00093, wen00112, wu000295\@umn.edu, [email protected]@umn.edu, \ [email protected], [email protected] ## Abstract With the rapid development of large language models (LLMs), their applications have expanded into diverse fields, such as code assistance. However, the substantial size of LLMs makes their training highly resource- and time-intensive, rendering frequent retraining or updates impractical. Consequently, time-sensitive data

Graphene: Infrastructure Security Posture Analysis with AI-generated Attack Graphs : A Holistic Security Posture Analyzer for Edge Computing Xin Jin, Charalampos Katsis, Fan Sang, Jiahao Sun, Ashish Kundu, Ramana Kompella xijin3, ckatsis, fsang, jiahasun, ashkundu, [email protected] Cisco Research San Jose California USA 43017-6221 Trovato et al. ## Abstract is a system that aims to analyze the security posture of an edge infrastructure thoroughly. The user provides necessary information for the given infrastructure, such as device information and connections, and performs a security analysis that involves finding associated vulnerabilities and using vulnerability knowledge to construct attack paths that an adversary may leverage. In addition, investigates how likely are those paths exploitable and quantifies the overall security posture of the system using a scor