CVE-2022-23590 — Improper Check for Unusual or Exceptional Conditions in Google Tensorflow

CWE-754 — Improper Check for Unusual or Exceptional Conditions6 documents5 sources

Severity

7.5HIGHNVD

CNA5.9

EPSS

0.2%

top 52.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Tensorflow Intel Optimization FOR Tensorflow Tensorflow

Timeline

PublishedFeb 4

Latest updateFeb 9

Description

Tensorflow is an Open Source Machine Learning Framework. A `GraphDef` from a TensorFlow `SavedModel` can be maliciously altered to cause a TensorFlow process to crash due to encountering a `StatusOr` value that is an error and forcibly extracting the value from it. We have patched the issue in multiple GitHub commits and these will be included in TensorFlow 2.8.0 and TensorFlow 2.7.1, as both are affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDgoogle/tensorflow< 2.7.1

▶PyPIintel/optimization_for_tensorflow< 2.7.1

▶CVEListV5tensorflow/tensorflow>= 2.7.0, < 2.8.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Crash due to erroneous `StatusOr` in TensorFlow↗2022-02-09

▶

OSV

Crash due to erroneous `StatusOr` in TensorFlow↗2022-02-09

▶

OSV

CVE-2022-23590: Tensorflow is an Open Source Machine Learning Framework↗2022-02-04

▶

CVEList

Crash due to erroneous `StatusOr` in Tensorflow↗2022-02-04

▶

📋Vendor Advisories

Debian

CVE-2022-23590: tensorflow - Tensorflow is an Open Source Machine Learning Framework. A `GraphDef` from a Ten...↗2022

▶