CVE-2022-29200 — Improper Input Validation in Tensorflow

CWE-20 — Improper Input Validation CWE-1284 — Improper Validation of Specified Quantity in Input5 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 86.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedMay 20

Latest updateMay 24

Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.LSTMBlockCell` does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack. The code does not validate the ranks of any of the arguments to this API call. This results in `CHECK`-failures when the elements of the tensor are accessed. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDgoogle/tensorflow2.7.0 — 2.7.2+4

▶CVEListV5tensorflow/tensorflow< 2.6.4+3

▶PyPIintel/optimization_for_tensorflow2.7.0 — 2.7.2+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Missing validation causes denial of service via `LSTMBlockCell`↗2022-05-24

▶

OSV

Missing validation causes denial of service via `LSTMBlockCell`↗2022-05-24

▶

CVEList

Missing validation causes denial of service in TensorFlow via `LSTMBlockCell`↗2022-05-20

▶

📋Vendor Advisories

Debian

CVE-2022-29200: tensorflow - TensorFlow is an open source platform for machine learning. Prior to versions 2....↗2022

▶