An issue in the oneflow.permute component of OneFlow-Inc. Oneflow v0.9.1 causes an incorrect calculation when the same dimension operation is performed.
The vulnerability (CWE-682 — incorrect calculation) is revealed in the oneflow.permute component during the execution of permutation operations on the same tensor dimension. When a user passes an operation concerning an identical dimension, the library performs incorrect calculations instead of properly handling such a case. A detailed proof-of-concept has been published in an external GitHub repository.
An attacker or unauthorized user can cause incorrect numerical computation results, which may result in data integrity violation in models or computational pipelines based on the OneFlow library. Depending on the application context, consequences may include malfunction of machine learning systems using this library.
Apply patches available from the vendor according to the references. It is recommended to check the availability of a newer version of the OneFlow library and monitor the official project repository for patch information.
OneFlow-Inc. Oneflow v0.9.1 — oneflow.permute component
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOneflow
APPOneflow0.9.1
Related vulnerabilities
A type validation flaw in the flow.dstack() component of OneFlow v0.9.0 allows attackers to cause a Denial of ...
A device-ID validation flaw in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) by calling f...
A shape mismatch vulnerability in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via suppl...
A dimension validation flaw in the flow.empty() component of OneFlow 0.9.0 allows attackers to cause a Denial ...
A GPU device-ID validation flaw in OneFlow v0.9.0 allows attackers to trigger a Denial of Dervice (DoS) by inv...