AVID-2026-R1113

Description

Some Deeplearning4J packages use unclaimed s3 bucket in tests and examples (CVE-2022-36022)

Details

Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-M2.1 may use some unclaimed S3 buckets in tests in examples. This is likely affect people who use some older NLP examples that reference an old S3 bucket. The problem has been patched. Users should upgrade to snapshots as Deeplearning4J plan to publish a release with the fix at a later date. As a workaround, download a word2vec google news vector from a new source using git lfs from here.

Reason for inclusion in AVID: CVE-2022-36022 involves Deeplearning4j test artifacts referencing an unclaimed S3 bucket. This is a software issue in a DL/ML framework used in AI pipelines, affecting AI software supply chain components (dependencies/tests in the DL4J package). It is a CVE-style security vulnerability with low impact, and the report provides explicit details and references, sufficient to classify.

References

• NVD entry
• https://github.com/eclipse/deeplearning4j/security/advisories/GHSA-rc39-g977-687w
• https://github.com/mmihaltz/word2vec-GoogleNews-vectors

Affected or Relevant Artifacts

• Developer: eclipse
• Deployer: eclipse
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-11-10
• Version: 0.3.3
• AVID Entry