CVSS: 7.6EPSS: 0%CPEs: 3EXPL: 1CVE-2022-23584 – Use after free in `DecodePng` in Tensorflow
https://notcve.org/view.php?id=CVE-2022-23584
Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a use after free behavior when decoding PNG images. After `png::CommonFreeDecode(&decode)` gets called, the values of `decode.width` and `decode.height` are in an unspecified state. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/image/decode_image_op.cc#L339-L346 https://github.com/tensorflow/tensorflow/commit/e746adbfcfee15e9cfdb391ff746c765b99bdf9b https://github.com/tensorflow/tensorflow/security/advisories/GHSA-24x4-6qmh-88qg • CWE-416: Use After Free •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-23587 – Integer overflow in Tensorflow
https://notcve.org/view.php?id=CVE-2022-23587
Tensorflow is an Open Source Machine Learning Framework. Under certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/grappler/costs/op_level_cost_estimator.cc#L2621-L2689 https://github.com/tensorflow/tensorflow/commit/0aaaae6eca5a7175a193696383f582f53adab23f https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8jj7-5vxc-pg2q • CWE-190: Integer Overflow or Wraparound •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23592 – Out of bounds read in Tensorflow
https://notcve.org/view.php?id=CVE-2022-23592
Tensorflow is an Open Source Machine Learning Framework. TensorFlow's type inference can cause a heap out of bounds read as the bounds checking is done in a `DCHECK` (which is a no-op during production). An attacker can control the `input_idx` variable such that `ix` would be larger than the number of values in `node_t.args`. The fix will be included in TensorFlow 2.8.0. This is the only affected version. • https://github.com/tensorflow/tensorflow/blob/274df9b02330b790aa8de1cee164b70f72b9b244/tensorflow/core/graph/graph.cc#L223-L229 https://github.com/tensorflow/tensorflow/commit/c99d98cd189839dcf51aee94e7437b54b31f8abd https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vq36-27g6-p492 • CWE-125: Out-of-bounds Read •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-23595 – Null pointer dereference in TensorFlow
https://notcve.org/view.php?id=CVE-2022-23595
Tensorflow is an Open Source Machine Learning Framework. When building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference. In the default scenario, all devices are allowed, so `flr->config_proto` is `nullptr`. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/blob/274df9b02330b790aa8de1cee164b70f72b9b244/tensorflow/compiler/jit/xla_platform_info.cc#L43-L104 https://github.com/tensorflow/tensorflow/commit/e21af685e1828f7ca65038307df5cc06de4479e8 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fpcp-9h7m-ffpx • CWE-476: NULL Pointer Dereference •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23594 – Out of bounds read in Tensorflow
https://notcve.org/view.php?id=CVE-2022-23594
Tensorflow is an Open Source Machine Learning Framework. The TFG dialect of TensorFlow (MLIR) makes several assumptions about the incoming `GraphDef` before converting it to the MLIR-based dialect. If an attacker changes the `SavedModel` format on disk to invalidate these assumptions and the `GraphDef` is then converted to MLIR-based IR then they can cause a crash in the Python interpreter. Under certain scenarios, heap OOB read/writes are possible. These issues have been discovered via fuzzing and it is possible that more weaknesses exist. • https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9x52-887g-fhc2 https://github.com/tensorflow/tensorflow/tree/274df9b02330b790aa8de1cee164b70f72b9b244/tensorflow/core/ir/importexport • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •