We use cookies to improve your experience on our site.
AVID-2026-R1167
Description
Vulnerability CVE-2022-45908
Details
In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vulnerable to code injection because it calls eval on a user-supplied winstr. This may lead to arbitrary code execution.
Reason for inclusion in AVID: CVE-2022-45908 describes a code execution vulnerability in PaddlePaddle (an AI framework) due to eval on user-supplied input in paddle.audio.functional.get_window. This directly concerns software used to build/train/deploy AI systems, i.e., a dependency/framework in the AI stack. It is a security/vulnerability issue with potential RCE, and the report provides explicit evidence (CVE entry, advisory, commit) of the flaw. Therefore it qualifies as a software supply-chain vulnerability in general-purpose AI systems.
References
- NVD entry
- https://github.com/PaddlePaddle/Paddle/blob/develop/security/advisory/pdsa-2022-002.md
- https://github.com/PaddlePaddle/Paddle/commit/26c419ca386aeae3c461faf2b828d00b48e908eb
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | n/a |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-11-26
- Version: 0.3.3
- AVID Entry