CVE-2023-25661

CWE-20 — Improper Input Validation6 documents6 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 65.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Tensorflow Google Tensorflow

Timeline

PublishedMar 27

Description

TensorFlow is an Open Source Machine Learning Framework. In versions prior to 2.11.1 a malicious invalid input crashes a tensorflow model (Check Failed) and can be used to trigger a denial of service attack. A proof of concept can be constructed with the `Convolution3DTranspose` function. This Convolution3DTranspose layer is a very common API in modern neural networks. The ML models containing such vulnerable components could be deployed in ML applications or as cloud services. This failure coul…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶PyPItensorflow< 2.11.1

▶PyPItensorflow-cpu< 2.11.1

▶NVDgoogle/tensorflow< 2.11.1

▶CVEListV5tensorflow/tensorflow< 2.11.1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Denial of Service in TensorFlow↗2023-03-27

▶

GHSA

TensorFlow Denial of Service vulnerability↗2023-03-27

▶

OSV

TensorFlow Denial of Service vulnerability↗2023-03-27

▶

📋Vendor Advisories

Microsoft

Denial of Service in TensorFlow↗2023-03-14

▶

Debian

CVE-2023-25661: tensorflow - TensorFlow is an Open Source Machine Learning Framework. In versions prior to 2....↗2023

▶