CVE-2022-29207 — Improper Input Validation in Tensorflow

CWE-20 — Improper Input Validation CWE-475 — Undefined Behavior for Input to API5 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 86.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedMay 20

Latest updateMay 24

Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, multiple TensorFlow operations misbehave in eager mode when the resource handle provided to them is invalid. In graph mode, it would have been impossible to perform these API calls, but migration to TF 2.x eager mode opened up this vulnerability. If the resource handle is empty, then a reference is bound to a null pointer inside TensorFlow codebase (various codepaths). This is undefined …

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDgoogle/tensorflow2.7.0 — 2.7.2+4

▶CVEListV5tensorflow/tensorflow< 2.6.4+3

▶PyPIintel/optimization_for_tensorflow2.7.0 — 2.7.2+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Undefined behavior when users supply invalid resource handles↗2022-05-24

▶

OSV

Undefined behavior when users supply invalid resource handles↗2022-05-24

▶

CVEList

Undefined behavior when users supply invalid resource handles in TensorFlow↗2022-05-20

▶

📋Vendor Advisories

Debian

CVE-2022-29207: tensorflow - TensorFlow is an open source platform for machine learning. Prior to versions 2....↗2022

▶