CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-23586 – Multiple `CHECK`-fails in `function.cc` in Tensorflow
https://notcve.org/view.php?id=CVE-2022-23586
Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a `SavedModel` such that assertions in `function.cc` would be falsified and crash the Python interpreter. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. Tensorflow es un Marco de Aprendizaje Automático de Código Abierto. • https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/function.cc https://github.com/tensorflow/tensorflow/commit/3d89911481ba6ebe8c88c1c0b595412121e6c645 https://github.com/tensorflow/tensorflow/commit/dcc21c7bc972b10b6fb95c2fb0f4ab5a59680ec2 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-43jf-985q-588j • CWE-617: Reachable Assertion •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-23583 – `CHECK`-failures in binary ops in Tensorflow
https://notcve.org/view.php?id=CVE-2022-23583
Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a `SavedModel` such that any binary op would trigger `CHECK` failures. This occurs when the protobuf part corresponding to the tensor arguments is modified such that the `dtype` no longer matches the `dtype` expected by the op. In that case, calling the templated binary operator for the binary op would receive corrupted data, due to the type confusion involved. If `Tin` and `Tout` don't match the type of data in `out` and `input_*` tensors then `flat<*>` would interpret it wrongly. • https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/cwise_ops_common.h#L88-L137 https://github.com/tensorflow/tensorflow/commit/a7c02f1a9bbc35473969618a09ee5f9f5d3e52d9 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gjqc-q9g6-q2j3 • CWE-617: Reachable Assertion CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-23582 – `CHECK`-failures in `TensorByteSize` in Tensorflow
https://notcve.org/view.php?id=CVE-2022-23582
Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a `SavedModel` such that `TensorByteSize` would trigger `CHECK` failures. `TensorShape` constructor throws a `CHECK`-fail if shape is partial or has a number of elements that would overflow the size of an `int`. The `PartialTensorShape` constructor instead does not cause a `CHECK`-abort if the shape is partial, which is exactly what this function needs to be able to return `-1`. The fix will be included in TensorFlow 2.8.0. • https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/attr_value_util.cc#L46-L50 https://github.com/tensorflow/tensorflow/commit/c2426bba00a01de6913738df8fa78e0215fcce02 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-4j82-5ccr-4r8v • CWE-617: Reachable Assertion •
CVSS: 7.6EPSS: 0%CPEs: 3EXPL: 1CVE-2022-23584 – Use after free in `DecodePng` in Tensorflow
https://notcve.org/view.php?id=CVE-2022-23584
Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a use after free behavior when decoding PNG images. After `png::CommonFreeDecode(&decode)` gets called, the values of `decode.width` and `decode.height` are in an unspecified state. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/image/decode_image_op.cc#L339-L346 https://github.com/tensorflow/tensorflow/commit/e746adbfcfee15e9cfdb391ff746c765b99bdf9b https://github.com/tensorflow/tensorflow/security/advisories/GHSA-24x4-6qmh-88qg • CWE-416: Use After Free •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-23587 – Integer overflow in Tensorflow
https://notcve.org/view.php?id=CVE-2022-23587
Tensorflow is an Open Source Machine Learning Framework. Under certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/grappler/costs/op_level_cost_estimator.cc#L2621-L2689 https://github.com/tensorflow/tensorflow/commit/0aaaae6eca5a7175a193696383f582f53adab23f https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8jj7-5vxc-pg2q • CWE-190: Integer Overflow or Wraparound •