CVE-2022-29212 — Improper Input Validation in Tensorflow

CWE-20 — Improper Input Validation5 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 75.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedMay 21

Latest updateMay 24

Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, certain TFLite models that were created using TFLite model converter would crash when loaded in the TFLite interpreter. The culprit is that during quantization the scale of values could be greater than 1 but code was always assuming sub-unit scaling. Thus, since code was calling `QuantizeMultiplierSmallerThanOneExp`, the `TFLITE_CHECK_LT` assertion would trigger and abort the process. Ve…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDgoogle/tensorflow2.7.0 — 2.7.2+4

▶CVEListV5tensorflow/tensorflow< 2.6.4+3

▶PyPIintel/optimization_for_tensorflow2.7.0 — 2.7.2+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Core dump when loading TFLite models with quantization in TensorFlow↗2022-05-24

▶

OSV

Core dump when loading TFLite models with quantization in TensorFlow↗2022-05-24

▶

CVEList

Core dump when loading TFLite models with quantization in TensorFlow↗2022-05-20

▶

📋Vendor Advisories

Debian

CVE-2022-29212: tensorflow - TensorFlow is an open source platform for machine learning. Prior to versions 2....↗2022

▶