We use cookies to improve your experience on our site.
AVID-2026-R1234
Description
MindSpore json_helper.cc UpdateArray memory corruption (CVE-2023-2970)
Details
A vulnerability classified as problematic was found in MindSpore 2.0.0-alpha/2.0.0-rc1. This vulnerability affects the function JsonHelper::UpdateArray of the file mindspore/ccsrc/minddata/dataset/util/json_helper.cc. The manipulation leads to memory corruption. The name of the patch is 30f4729ea2c01e1ed437ba92a81e2fc098d608a9. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-230176.
Reason for inclusion in AVID: CVE-2023-2970 describes a memory corruption vulnerability in MindSpore (an AI framework), affecting software used to build/train/deploy AI systems. It concerns a code path in the AI software stack (JsonHelper::UpdateArray) and has patch and CVE references, indicating a software vulnerability in AI supply chain components. Not hardware/firmware-only. The evidence supports a security vulnerability in AI software supply chain.
References
- NVD entry
- https://vuldb.com/?id.230176
- https://vuldb.com/?ctiid.230176
- https://gitee.com/mindspore/mindspore/issues/I73DOS
- https://gitee.com/mindspore/mindspore/commit/30f4729ea2c01e1ed437ba92a81e2fc098d608a9
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | MindSpore |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
| Base Score | 3.5 |
| Base Severity | 🟢 Low |
CWE
| ID | Description |
|---|---|
| CWE-119 | CWE-119 Memory Corruption |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-05-30
- Version: 0.3.3
- AVID Entry