CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

CVE-2023-6905

CVE-2023-6903

CVE-2023-6904

CVE-2023-3907

An issue was discovered in function sync_tree in hetero_decision_tree_guest.py in WeBank FATE (Federated AI Technology Enabler) 0.1 through 1.4.2 allows attackers to read sensitive information during the training process of machine learning joint modeling.

@@ -529,10 +529,23 @@ def redispatch\_node(self, dep=-1, max\_depth\_reach=False):

unleaf\_state\_nodeid1) \== 2 else unleaf\_state\_nodeid2)

self.node\_dispatch \= self.node\_dispatch.union(dispatch\_guest\_result)

  

def remove\_sensitive\_info(self):

"""

host is not allowed to get weights/g/h

"""

new\_tree\_ \= copy.deepcopy(self.tree\_)

for node in new\_tree\_:

node.weight \= None

node.sum\_grad \= None

node.sum\_hess \= None

  

return new\_tree\_

  

def sync\_tree(self):

LOGGER.info("sync tree to host")

  

self.transfer\_inst.tree.remote(self.tree\_,

tree\_nodes \= self.remove\_sensitive\_info()

self.transfer\_inst.tree.remote(tree\_nodes,

role\=consts.HOST,

idx\=\-1)

"""

Headline

CVE-2020-25459: remove sensitive info of guest sending to host · FederatedAI/FATE@6feccf6

CVE: Latest News