Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] DeepSeek - Outdated Vulnerable Software - High (8.8) #650

Open
gbiagomba opened this issue Feb 12, 2025 · 1 comment
Open

[BUG] DeepSeek - Outdated Vulnerable Software - High (8.8) #650

gbiagomba opened this issue Feb 12, 2025 · 1 comment

Comments

@gbiagomba
Copy link

Risk: High (8.8)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**NOTE: ** The score was derived from the highest vulnerability in the software dependency package.

Description:

While conducting a security review of DeepSeek, we observed the noted web application used outdated 3P software with known vulnerabilities. The risks associated with using such dependencies are significant and include security vulnerabilities, data breaches, malware infections, compliance violations, and reputation damage.

Impact:

These vulnerabilities can be exploited by attackers to compromise the system, steal sensitive data, infect it with malware, violate industry regulations, and harm the organization's reputation. Outdated software is often no longer supported by its developers, which means that any security vulnerabilities that are discovered are unlikely to be patched. This makes it easier for hackers to exploit these vulnerabilities and gain access to our system or steal our data.

Affected Assets:

Affected Software:

  1. [email protected]
  2. [email protected]
  3. [email protected]
  4. [email protected]
  5. [email protected]

Evidence:

depscan:

                                                         Dependency Scan Results (UNIVERSAL)                                                          
╔═══════════════════════════════════════════════════════════════════════╤═══════════════════╤════════════════════════╤══════════════════╤════════════╗
║ CVE                                                                  │ Insights         │ Fix Version           │ Severity        │      Score ║
╟───────────────────────────────────────────────────────────────────────┼───────────────────┼────────────────────────┼──────────────────┼────────────╢
║ [email protected] ⬅ CVE-2024-11392                                  │                   │ 4.48.0                 │ HIGH             │        7.5 ║
╟───────────────────────────────────────────────────────────────────────┼───────────────────┼────────────────────────┼──────────────────┼────────────╢
║ [email protected] ⬅ CVE-2024-11393                                  │                   │ 4.48.0                 │ HIGH             │        8.8 ║
╟───────────────────────────────────────────────────────────────────────┼───────────────────┼────────────────────────┼──────────────────┼────────────╢
║ [email protected] ⬅ CVE-2024-11394                                  │                   │ 4.48.0                 │ HIGH             │        7.5 ║
╚═══════════════════════════════════════════════════════════════════════╧═══════════════════╧════════════════════════╧══════════════════╧════════════╝

snyk:


Testing /Users/gbiagomba/Projects/DeepSeek/src...

Tested 23 dependencies for known issues, found 5 issues, 11 vulnerable paths.


Issues to fix by upgrading dependencies:

  Pin [email protected] to [email protected] to fix
  ✗ Insufficient Verification of Data Authenticity [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-CERTIFI-7430173] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] and 2 other path(s)

  Pin [email protected] to [email protected] to fix
  ✗ Template Injection [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-JINJA2-8548181] in [email protected]
    introduced by [email protected] > [email protected]
  ✗ Improper Neutralization [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-JINJA2-8548987] in [email protected]
    introduced by [email protected] > [email protected]

  Pin [email protected] to [email protected] to fix
  ✗ Injection [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-TQDM-6807582] in [email protected]
    introduced by [email protected] > [email protected] and 2 other path(s)

  Pin [email protected] to [email protected] to fix
  ✗ Improper Removal of Sensitive Information Before Storage or Transfer [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-7267250] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] and 2 other path(s)



Organization:      gbiagomba
Package manager:   pip
Target file:       DeepSeek-V3/inference/requirements.txt
Project name:      inference
Open source:       no
Project path:      /Users/gbiagomba/Projects/DeepSeek/src
Licenses:          enabled

Tip: Try `snyk fix` to address these issues.`snyk fix` is a new CLI command in that aims to automatically apply the recommended updates for supported ecosystems.
See documentation on how to enable this beta feature: https://docs.snyk.io/snyk-cli/fix-vulnerabilities-from-the-cli/automatic-remediation-with-snyk-fix#enabling-snyk-fix


Error: 
Testing /app...

Failed to get dependencies for all 1 potential projects.
Tip: Re-run in debug mode to see more information: DEBUG=*snyk* <COMMAND>
If the issue persists contact [email protected]
    at test (/snapshot/snyk/dist/cli/webpack:/snyk/src/cli/commands/test/index.ts:298:19)
    at runCommand (/snapshot/snyk/dist/cli/webpack:/snyk/src/cli/main.ts:56:25)
    at main (/snapshot/snyk/dist/cli/webpack:/snyk/src/cli/main.ts:343:11)
    at /snapshot/snyk/dist/cli/webpack:/snyk/src/cli/index.ts:13:3
    at callHandlingUnexpectedErrors (/snapshot/snyk/dist/cli/webpack:/snyk/src/lib/unexpected-error.ts:28:5)

trivy:


DeepSeek-V3/inference/requirements.txt (pip)
============================================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)

┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                            │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ transformers │ CVE-2024-11392 │ HIGH     │ fixed  │ 4.46.3            │ 4.48.0        │ transformers: Hugging Face Transformers MobileViTV2        │
│              │                │          │        │                   │               │ Deserialization of Untrusted Data Remote Code Execution... │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-11392                 │
│              ├────────────────┤          │        │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2024-11393 │          │        │                   │               │ transformers: Hugging Face Transformers MaskFormer Model   │
│              │                │          │        │                   │               │ Deserialization of Untrusted Data Remote Code...           │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-11393                 │
│              ├────────────────┤          │        │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2024-11394 │          │        │                   │               │ transformers: Hugging Face Transformers Trax Model         │
│              │                │          │        │                   │               │ Deserialization of Untrusted Data Remote Code...           │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-11394                 │
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Replicate Finding:

  1. Download & Install OWASP Dependency Check: git clone https://github.com/jeremylong/DependencyCheck
  2. Navigate to the impacted repo (locally) & run the following command: dependency-check --prettyPrint --format ALL --out "$PWD/../" --scan "$PWD"
  3. Open either the CSV file or HTML file for results

Mitigation/Remediation:

We recommend updating the affected software to the latest supported version. Additionally, we recommend hardening the system after patching and ensuring all installed software including the noted software are patched. For more details, please the references below!

Be advised, the above patch should be applied to all other system(s) running the impacted software that are managed by the team.

References:

  1. https://avd.aquasec.com/nvd/cve-2024-11392
  2. https://avd.aquasec.com/nvd/cve-2024-11393
  3. https://avd.aquasec.com/nvd/cve-2024-11394
@sumitra321
Copy link

Yeah

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gbiagomba @sumitra321