CVE-2023-25659

CWE-125 — Out-of-bounds Read CWE-2038 documents7 sources

Severity

7.5HIGH

EPSS

0.2%

top 57.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Tensorflow Google Tensorflow

Timeline

PublishedMar 25

Latest updateFeb 13

Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the parameter `indices` for `DynamicStitch` does not match the shape of the parameter `data`, it can trigger an stack OOB read. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶PyPItensorflow< 2.11.1

▶PyPItensorflow-cpu< 2.11.1

▶PyPItensorflow-gpu< 2.11.1

▶NVDgoogle/tensorflow< 2.12.0

▶CVEListV5tensorflow/tensorflow< 2.11.1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

TensorFlow vulnerable to Out-of-Bounds Read in DynamicStitch↗2023-03-24

▶

CVEList

TensorFlow vulnerable to Out-of-Bounds Read in DynamicStitch↗2023-03-24

▶

OSV

TensorFlow vulnerable to Out-of-Bounds Read in DynamicStitch↗2023-03-24

▶

📋Vendor Advisories

Microsoft

Python-cryptography: bleichenbacher timing oracle attack against rsa decryption - incomplete fix for cve-2020-25659↗2024-02-13

▶

Red Hat

python-cryptography: Bleichenbacher timing oracle attack against RSA decryption - incomplete fix for CVE-2020-25659↗2023-12-13

▶

Microsoft

TensorFlow vulnerable to Out-of-Bounds Read in DynamicStitch↗2023-03-14

▶

Debian

CVE-2023-25659: tensorflow - TensorFlow is an open source platform for machine learning. Prior to versions 2....↗2023

▶