CVE-2022-23560 — Out-of-bounds Read in Tensorflow

CWE-125 — Out-of-bounds Read CWE-787 — Out-of-bounds Write6 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.3%

top 47.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Intel Optimization FOR Tensorflow Google Tensorflow

Timeline

PublishedFeb 4

Latest updateFeb 9

Description

Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a TFLite model that would allow limited reads and writes outside of arrays in TFLite. This exploits missing validation in the conversion from sparse tensors to dense tensors. The fix is included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. Users are advised to upgrade as soon as possible.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5tensorflow/tensorflow< 2.5.3+2

▶PyPIintel/optimization_for_tensorflow2.6.0 — 2.6.3+2

▶NVDgoogle/tensorflow2.6.0 — 2.6.2+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Read and Write outside of bounds in TensorFlow↗2022-02-09

▶

GHSA

Read and Write outside of bounds in TensorFlow↗2022-02-09

▶

OSV

CVE-2022-23560: Tensorflow is an Open Source Machine Learning Framework↗2022-02-04

▶

CVEList

Read and Write outside of bounds in TFLite↗2022-02-04

▶

📋Vendor Advisories

Debian

CVE-2022-23560: tensorflow - Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a...↗2022

▶