CVE-2022-35983Reachable Assertion in Tensorflow

CWE-617Reachable Assertion5 documents5 sources
Severity
7.5HIGHNVD
CNA5.9
EPSS
0.1%
top 80.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
TensorflowGoogle TensorflowIntel Optimization FOR Tensorflow
Timeline
PublishedSep 16

Description

TensorFlow is an open source platform for machine learning. If `Save` or `SaveSlices` is run over tensors of an unsupported `dtype`, it results in a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 5dd7b86b84a864b834c6fa3d7f9f51c87efa99d4. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported ran

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDgoogle/tensorflow2.8.02.8.1+3
CVEListV5tensorflow/tensorflow< 2.7.2+2
PyPIintel/optimization_for_tensorflow2.8.02.8.1+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
CVEList
`CHECK` fail in `Save` and `SaveSlices` in TensorFlow2022-09-16
OSV
TensorFlow vulnerable to `CHECK` fail in `Save` and `SaveSlices`2022-09-16
GHSA
TensorFlow vulnerable to `CHECK` fail in `Save` and `SaveSlices`2022-09-16

📋Vendor Advisories

1
Debian
CVE-2022-35983: tensorflow - TensorFlow is an open source platform for machine learning. If `Save` or `SaveSl...2022
CVE-2022-35983 — Reachable Assertion in Tensorflow | cvebase