CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-23575 – Integer overflow in Tensorflow
https://notcve.org/view.php?id=CVE-2022-23575
Tensorflow is an Open Source Machine Learning Framework. The implementation of `OpLevelCostEstimator::CalculateTensorSize` is vulnerable to an integer overflow if an attacker can create an operation which would involve a tensor with large enough number of elements. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. Tensorflow es un Marco de Aprendizaje Automático de Código Abierto. • https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/grappler/costs/op_level_cost_estimator.cc#L1552-L1558 https://github.com/tensorflow/tensorflow/commit/fcd18ce3101f245b083b30655c27b239dc72221e https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c94w-c95p-phf8 • CWE-190: Integer Overflow or Wraparound •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-23576 – Integer overflow in Tensorflow
https://notcve.org/view.php?id=CVE-2022-23576
Tensorflow is an Open Source Machine Learning Framework. The implementation of `OpLevelCostEstimator::CalculateOutputSize` is vulnerable to an integer overflow if an attacker can create an operation which would involve tensors with large enough number of elements. We can have a large enough number of dimensions in `output_shape.dim()` or just a small number of dimensions being large enough to cause an overflow in the multiplication. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/grappler/costs/op_level_cost_estimator.cc#L1598-L1617 https://github.com/tensorflow/tensorflow/commit/b9bd6cfd1c50e6807846af9a86f9b83cafc9c8ae https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wm93-f238-7v37 • CWE-190: Integer Overflow or Wraparound •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 2CVE-2022-23588 – `CHECK`-fails due to attempting to build a reference tensor in Tensorflow
https://notcve.org/view.php?id=CVE-2022-23588
Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a `SavedModel` such that Grappler optimizer would attempt to build a tensor using a reference `dtype`. This would result in a crash due to a `CHECK`-fail in the `Tensor` constructor as reference types are not allowed. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/tensor.cc#L733-L781 https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/grappler/optimizers/constant_folding.cc#L1328-L1402 https://github.com/tensorflow/tensorflow/commit/6b5adc0877de832b2a7c189532dbbbc64622eeb6 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fx5c-h9f6-rv7c • CWE-617: Reachable Assertion •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 2CVE-2022-23589 – Null pointer dereference in Grappler's `IsConstant` in Tensorflow
https://notcve.org/view.php?id=CVE-2022-23589
Tensorflow is an Open Source Machine Learning Framework. Under certain scenarios, Grappler component of TensorFlow can trigger a null pointer dereference. There are 2 places where this can occur, for the same malicious alteration of a `SavedModel` file (fixing the first one would trigger the same dereference in the second place). First, during constant folding, the `GraphDef` might not have the required nodes for the binary operation. If a node is missing, the correposning `mul_*child` would be null, and the dereference in the subsequent line would be incorrect. • https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/grappler/mutable_graph_view.cc#L59-L74 https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/grappler/optimizers/constant_folding.cc#L3466-L3497 https://github.com/tensorflow/tensorflow/commit/045deec1cbdebb27d817008ad5df94d96a08b1bf https://github.com/tensorflow/tensorflow/commit/0a365c029e437be0349c31f8d4c9926b69fa3fa1 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9px9-73fg-3fqp • CWE-476: NULL Pointer Dereference •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-23586 – Multiple `CHECK`-fails in `function.cc` in Tensorflow
https://notcve.org/view.php?id=CVE-2022-23586
Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a `SavedModel` such that assertions in `function.cc` would be falsified and crash the Python interpreter. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. Tensorflow es un Marco de Aprendizaje Automático de Código Abierto. • https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/function.cc https://github.com/tensorflow/tensorflow/commit/3d89911481ba6ebe8c88c1c0b595412121e6c645 https://github.com/tensorflow/tensorflow/commit/dcc21c7bc972b10b6fb95c2fb0f4ab5a59680ec2 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-43jf-985q-588j • CWE-617: Reachable Assertion •