CVE-2022-41888 — Improper Input Validation in Tensorflow

CWE-20 — Improper Input Validation6 documents6 sources

Severity

7.5HIGHNVD

CNA4.8

EPSS

0.2%

top 54.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedNov 18

Latest updateNov 21

Description

TensorFlow is an open source platform for machine learning. When running on GPU, `tf.image.generate_bounding_box_proposals` receives a `scores` input that must be of rank 4 but is not checked. We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDgoogle/tensorflow2.9.0 — 2.9.3+2

▶CVEListV5tensorflow/tensorflow< 2.8.4+2

▶PyPIintel/optimization_for_tensorflow2.9.0 — 2.9.3+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

FPE in `tf.image.generate_bounding_box_proposals`↗2022-11-21

▶

OSV

FPE in `tf.image.generate_bounding_box_proposals`↗2022-11-21

▶

CVEList

Unckecked rank size in `tf.image.generate_bounding_box_proposals` in Tensorflow↗2022-11-18

▶

📋Vendor Advisories

Microsoft

Unckecked rank size in `tf.image.generate_bounding_box_proposals` in Tensorflow↗2022-11-08

▶

Debian

CVE-2022-41888: tensorflow - TensorFlow is an open source platform for machine learning. When running on GPU,...↗2022

▶