Miggo Logo

CVE-2023-52308: PaddlePaddle floating point exception in paddle.amin

4.7

CVSS Score
3.1

Basic Information

EPSS Score
0.28014%
Published
1/3/2024
Updated
11/22/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
PaddlePaddlepip< 2.6.02.6.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input validation in tensor dimension handling. The commit diff shows a critical addition of PADDLE_ENFORCE_GE in SearchsortedInferMeta to validate that the input tensor has at least 1 dimension. This aligns with the CWE-369 (Divide By Zero) and the PoC demonstrating crashes with [0,0,6,3] shaped tensors. The function is directly tied to the amin operation's input validation, making it the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*P* in p***l*.*min in P***l*P***l* ***or* *.*.*. T*is *l*w **n **us* * runtim* *r*s* *n* * **ni*l o* s*rvi**.

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion in t*nsor *im*nsion **n*lin*. T** *ommit *i** s*ows * *riti**l ***ition o* P***L*_*N*OR**_** in S**r**sort**In**rM*t* to v*li**t* t**t t** input t*nsor **s *t l**st * *im*nsion. T*is *li*ns wit*