Miggo Logo
Miggo Vulnerability Database
CVE-2023-38677

CVE-2023-38677:
PaddlePaddle floating point exception in paddle.linalg.eig

4.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-38677
GHSA ID
GHSA-c6ph-m8cw-rfqh
EPSS Score
0.28014%
CWE
CWE-369
Published
1/3/2024
Updated
11/22/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
paddlepaddlepip< 2.6.02.6.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from processing empty tensors in eigenvalue computations. The commit diff shows a critical check 'PADDLE_ENFORCE_GT(x.numel(), 0)' was added to EigKernel in paddle/phi/kernels/cpu/eig_kernel.cc. This matches the CWE-369 (Divide By Zero) description and the advisory's PoC using a tensor with a 0-sized dimension. The absence of this check in pre-2.6.0 versions directly caused the FPE vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*P* in p***l*.lin*l*.*i* in P***l*P***l* ***or* *.*.*. T*is *l*w **n **us* * runtim* *r*s* *n* * **ni*l o* s*rvi**.

Reasoning

T** vuln*r**ility st*ms *rom pro**ssin* *mpty t*nsors in *i**nv*lu* *omput*tions. T** *ommit *i** s*ows * *riti**l ****k 'P***L*_*N*OR**_*T(x.num*l(), *)' w*s ***** to *i*K*rn*l in p***l*/p*i/k*rn*ls/*pu/*i*_k*rn*l.**. T*is m*t***s t** *W*-*** (*ivi*