CVE-2022-29211 — Improper Input Validation in Tensorflow

CWE-20 — Improper Input Validation5 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 76.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedMay 21

Latest updateMay 24

Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.histogram_fixed_width` is vulnerable to a crash when the values array contain `Not a Number` (`NaN`) elements. The implementation assumes that all floating point operations are defined and then converts a floating point result to an integer index. If `values` contains `NaN` then the result of the division is still `NaN` and the cast to `int32` would result in a …

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDgoogle/tensorflow2.7.0 — 2.7.2+4

▶CVEListV5tensorflow/tensorflow< 2.6.4+3

▶PyPIintel/optimization_for_tensorflow2.7.0 — 2.7.2+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Segfault if `tf.histogram_fixed_width` is called with NaN values in TensorFlow↗2022-05-24

▶

OSV

Segfault if `tf.histogram_fixed_width` is called with NaN values in TensorFlow↗2022-05-24

▶

CVEList

Segfault in TensorFlow if `tf.histogram_fixed_width` is called with NaN values↗2022-05-20

▶

📋Vendor Advisories

Debian

CVE-2022-29211: tensorflow - TensorFlow is an open source platform for machine learning. Prior to versions 2....↗2022

▶