CVE-2022-36022
moderate-risk
Published 2022-11-10
Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-M2.1 may use some unclaimed S3 buckets in tests in examples. This is likely affect people who use some older NLP examples that reference an old S3 bucket. The problem has been patched. Users should upgrade to snapshots as Deeplearning4J plan to publish a release with the fix at a later date. As a workaround, download a word2vec google news vector from a new source using git lfs from here.
Do I need to act?
-
0.22% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10
Medium
NETWORK
/ LOW complexity
Affected Products (7)
Deeplearning4J
Deeplearning4J
Deeplearning4J
Deeplearning4J
Deeplearning4J
Deeplearning4J
Deeplearning4J
Affected Vendors
References (4)
Third Party Advisory
https://github.com/eclipse/deeplearning4j/security/advisories/GHSA-rc39-g977-687...
Third Party Advisory
https://github.com/mmihaltz/word2vec-GoogleNews-vectors
Third Party Advisory
https://github.com/eclipse/deeplearning4j/security/advisories/GHSA-rc39-g977-687...
Third Party Advisory
https://github.com/mmihaltz/word2vec-GoogleNews-vectors
36
/ 100
moderate-risk
Severity
21/34 · High
Exploitability
1/34 · Minimal
Exposure
14/34 · Moderate