Insecure Temporary File in horovod/horovod
Valid
Reported on
Jan 8th 2022
Description
horovod
package is using the deprecated function tempfile.mktemp()
which is not secure. Because a different process may create a file with this name in the time between the call to mktemp()
and the subsequent attempt to create the file by the first process.
Impact
Availability will get affected because of this vulnerability.
Remediation
Use mkstemp()
instead of tempfile.mktemp()
Occurrences
We are processing your report and will contact the
horovod
team within 24 hours.
a year ago
We created a
GitHub Issue
asking the maintainers to create a
SECURITY.md
a year ago
We have contacted a member of the
horovod
team and are waiting to hear back
a year ago
We have sent a
follow up to the
horovod
team.
We will try again in 7 days.
a year ago
We have sent a
second
follow up to the
horovod
team.
We will try again in 10 days.
a year ago
Enrico Minack
commented
a year ago
This has been fixed. Please do not send any further messages regarding this.
A horovod/horovod maintainer
commented
a year ago
A fix to address the above vulnerability has been merged into master branch.
Hi Enrico, Thank you for fixing the reported vulnerability. Can you please approve the same here. Thanks again.
Hi Enrico, is the fix got released? Can this report be made public?
The fix bounty has been dropped
This vulnerability will not receive a CVE
js_run.py#L129
has been validated
to join this conversation