CVE-2022-29208

Segfault and Out-of-bounds Write write due to incomplete validation in TensorFlow

Severity Score

7.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.EditDistance` has incomplete validation. Users can pass negative values to cause a segmentation fault based denial of service. In multiple places throughout the code, one may compute an index for a write operation. However, the existing validation only checks against the upper bound of the array. Hence, it is possible to write before the array by massaging the input to generate negative values for `loc`. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

TensorFlow es una plataforma de código abierto para el aprendizaje automático. En versiones anteriores a 2.9.0, 2.8.1, 2.7.2 y 2.6.4, la implementación de "tf.raw_ops.EditDistance" presenta una comprobación incompleta. Los usuarios pueden pasar valores negativos para causar una denegación de servicio basada en un fallo de segmentación. En múltiples lugares a lo largo del código, puede calcularse un índice para una operación de escritura. Sin embargo, la comprobación existente sólo comprueba el límite superior del array. Por lo tanto, es posible escribir antes de la matriz al masajear la entrada para generar valores negativos para "loc". Las versiones 2.9.0, 2.8.1, 2.7.2 y 2.6.4 contienen un parche para este problema

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-04-13 CVE Reserved
2022-05-20 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-08-11 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-787: Out-of-bounds Write

CAPEC

References (6)

URL	Tag	Source
https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4	Release Notes
https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2	Release Notes
https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1	Release Notes
https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0	Release Notes

URL	Date	SRC
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2r2f-g8mw-9gvr	2024-08-03

URL	Date	SRC
https://github.com/tensorflow/tensorflow/commit/30721cf564cb029d34535446d6a5a6357bebc8e7	2022-06-03

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Google Search vendor "Google"		Tensorflow Search vendor "Google" for product "Tensorflow"				< 2.6.4 Search vendor "Google" for product "Tensorflow" and version " < 2.6.4"		-		Affected
Google Search vendor "Google"		Tensorflow Search vendor "Google" for product "Tensorflow"				>= 2.7.0 < 2.7.2 Search vendor "Google" for product "Tensorflow" and version " >= 2.7.0 < 2.7.2"		-		Affected
Google Search vendor "Google"		Tensorflow Search vendor "Google" for product "Tensorflow"				2.7.0 Search vendor "Google" for product "Tensorflow" and version "2.7.0"		rc0		Affected
Google Search vendor "Google"		Tensorflow Search vendor "Google" for product "Tensorflow"				2.7.0 Search vendor "Google" for product "Tensorflow" and version "2.7.0"		rc1		Affected
Google Search vendor "Google"		Tensorflow Search vendor "Google" for product "Tensorflow"				2.8.0 Search vendor "Google" for product "Tensorflow" and version "2.8.0"		-		Affected
Google Search vendor "Google"		Tensorflow Search vendor "Google" for product "Tensorflow"				2.8.0 Search vendor "Google" for product "Tensorflow" and version "2.8.0"		rc0		Affected
Google Search vendor "Google"		Tensorflow Search vendor "Google" for product "Tensorflow"				2.8.0 Search vendor "Google" for product "Tensorflow" and version "2.8.0"		rc1		Affected
Google Search vendor "Google"		Tensorflow Search vendor "Google" for product "Tensorflow"				2.9.0 Search vendor "Google" for product "Tensorflow" and version "2.9.0"		rc0		Affected
Google Search vendor "Google"		Tensorflow Search vendor "Google" for product "Tensorflow"				2.9.0 Search vendor "Google" for product "Tensorflow" and version "2.9.0"		rc1		Affected