CVE-2022-29195Improper Input Validation in Tensorflow

CWE-20Improper Input Validation5 documents5 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 86.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
TensorflowGoogle TensorflowIntel Optimization FOR Tensorflow
Timeline
PublishedMay 20
Latest updateMay 24

Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.StagePeek` does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack. The code assumes `index` is a scalar but there is no validation for this before accessing its value. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

NVDgoogle/tensorflow2.7.02.7.2+4
CVEListV5tensorflow/tensorflow< 2.6.4+3
PyPIintel/optimization_for_tensorflow2.7.02.7.2+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Missing validation causes denial of service via `StagePeek`2022-05-24
GHSA
Missing validation causes denial of service via `StagePeek`2022-05-24
CVEList
Missing validation causes denial of service in TensorFlow via `StagePeek`2022-05-20

📋Vendor Advisories

1
Debian
CVE-2022-29195: tensorflow - TensorFlow is an open source platform for machine learning. Prior to versions 2....2022
CVE-2022-29195 — Improper Input Validation | cvebase