CVE-2022-23580Uncontrolled Resource Consumption in Tensorflow

CWE-400Uncontrolled Resource ConsumptionCWE-1284Improper Validation of Specified Quantity in Input6 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 46.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
TensorflowIntel Optimization FOR TensorflowGoogle Tensorflow
Timeline
PublishedFeb 4
Latest updateFeb 7

Description

Tensorflow is an Open Source Machine Learning Framework. During shape inference, TensorFlow can allocate a large vector based on a value from a tensor controlled by the user. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5tensorflow/tensorflow< 2.5.3+2
PyPIintel/optimization_for_tensorflow2.6.02.6.3+2
NVDgoogle/tensorflow2.6.02.6.2+2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
Abort caused by allocating a vector that is too large in Tensorflow2022-02-07
OSV
Abort caused by allocating a vector that is too large in Tensorflow2022-02-07
CVEList
Abort caused by allocating a vector that is too large in Tensorflow2022-02-04
OSV
CVE-2022-23580: Tensorflow is an Open Source Machine Learning Framework2022-02-04

📋Vendor Advisories

1
Debian
CVE-2022-23580: tensorflow - Tensorflow is an Open Source Machine Learning Framework. During shape inference,...2022
CVE-2022-23580 — Uncontrolled Resource Consumption | cvebase