Home » Database

AVID-2026-R1171

Description

Vulnerability CVE-2022-46742

Details

Code injection in paddle.audio.functional.get_window in PaddlePaddle 2.4.0-rc0 allows arbitrary code execution.

Reason for inclusion in AVID: The CVE-2022-46742 entry describes a code injection vulnerability in PaddlePaddle (an ML framework) that can lead to arbitrary code execution. PaddlePaddle is a software component used in AI/ML pipelines (model training, inference, data processing). This constitutes a vulnerability in a dependency/tooling commonly used to build, train, deploy, or serve general-purpose AI systems, i.e., a software supply-chain issue within AI stacks. The report provides explicit vulnerability details, affected product, and CVSS-based severity, offering sufficient evidence for classification.

References

Affected or Relevant Artifacts

  • Developer: PaddlePaddle
  • Deployer: PaddlePaddle
  • Artifact Details:
TypeName
SystemPaddlePaddle

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
Base Score10.0
Base Severity🔴 Critical
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionNONE
ScopeCHANGED
Confidentiality ImpactNONE
Integrity Impact🔴 High
Availability Impact🔴 High

CWE

IDDescription
CWE-94CWE-94 Improper Control of Generation of Code (‘Code Injection’)

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2022-12-07
  • Version: 0.3.3
  • AVID Entry