Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (tensorflow version) |
Remediation Available |
CVE-2022-41894 |
High |
7.1 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41900 |
High |
7.1 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41880 |
Medium |
6.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41895 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41884 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41893 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41898 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41887 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41888 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41899 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41896 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41886 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41897 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41889 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41911 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41901 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41907 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41908 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41909 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41890 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
CVE-2022-41891 |
Medium |
4.8 |
tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl |
Direct |
tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0 |
❌ |
Details
Partial details (19 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2022-41894
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. The reference kernel of the CONV_3D_TRANSPOSE
TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result. Instead of data_ptr += num_channels;
it should be data_ptr += output_num_channels;
as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels. An attacker can craft a model with a specific number of input channels. It is then possible to write specific values through the bias of the layer outside the bounds of the buffer. This attack only works if the reference kernel resolver is used in the interpreter. We have patched the issue in GitHub commit 72c0bdcb25305b0b36842d746cc61d72658d2941. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41894
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41894
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41900
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow 2.10.1.
Publish Date: 2022-11-18
URL: CVE-2022-41900
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41900
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41880
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. When the BaseCandidateSamplerOp
function receives a value in true_classes
larger than range_max
, a heap oob read occurs. We have patched the issue in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41880
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41880
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41895
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. If MirrorPadGrad
is given outsize input paddings
, TensorFlow will give a heap OOB error. We have patched the issue in GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41895
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41895
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41884
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. We have patched the issue in GitHub commit 2b56169c16e375c521a3bc8ea658811cc0793784. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41884
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41884
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41893
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. If tf.raw_ops.TensorListResize
is given a nonscalar value for input size
, it results CHECK
fail which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41893
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41893
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41898
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. If SparseFillEmptyRowsGrad
is given empty inputs, TensorFlow will crash. We have patched the issue in GitHub commit af4a6a3c8b95022c351edae94560acc61253a1b8. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41898
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41898
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41887
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. tf.keras.losses.poisson
receives a y_pred
and y_true
that are passed through functor::mul
in BinaryOp
. If the resulting dimensions overflow an int32
, TensorFlow will crash due to a size mismatch during broadcast assignment. We have patched the issue in GitHub commit c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1 and 2.9.3, as these are also affected and still in supported range. However, we will not cherrypick this commit into TensorFlow 2.8.x, as it depends on Eigen behavior that changed between 2.8 and 2.9.
Publish Date: 2022-11-18
URL: CVE-2022-41887
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41887
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41888
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. When running on GPU, tf.image.generate_bounding_box_proposals
receives a scores
input that must be of rank 4 but is not checked. We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41888
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41888
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41899
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. Inputs dense_features
or example_state_data
not of rank 2 will trigger a CHECK
fail in SdcaOptimizer
. We have patched the issue in GitHub commit 80ff197d03db2a70c6a111f97dcdacad1b0babfa. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41899
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41899
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41896
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. If ThreadUnsafeUnigramCandidateSampler
is given input filterbank_channel_count
greater than the allowed max size, TensorFlow will crash. We have patched the issue in GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41896
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41896
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41886
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. When tf.raw_ops.ImageProjectiveTransformV2
is given a large output shape, it overflows. We have patched the issue in GitHub commit 8faa6ea692985dbe6ce10e1a3168e0bd60a723ba. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41886
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41886
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41897
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. If FractionMaxPoolGrad
is given outsize inputs row_pooling_sequence
and col_pooling_sequence
, TensorFlow will crash. We have patched the issue in GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41897
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41897
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41889
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a nullptr
, which is not caught. An example can be seen in tf.compat.v1.extract_volume_patches
by passing in quantized tensors as input ksizes
. We have patched the issue in GitHub commit e9e95553e5411834d215e6770c81a83a3d0866ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41889
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41889
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41911
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a const char*
array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from char
to bool
are undefined if the char
is not 0
or 1
, so sanitizers/fuzzers will crash. The issue has been patched in GitHub commit 1be74370327
. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1, TensorFlow 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41911
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41911
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41901
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. An input sparse_matrix
that is not a matrix with a shape with rank 0 will trigger a CHECK
fail in tf.raw_ops.SparseMatrixNNZ
. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41901
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41901
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41907
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. When tf.raw_ops.ResizeNearestNeighborGrad
is given a large size
input, it overflows. We have patched the issue in GitHub commit 00c821af032ba9e5f5fa3fe14690c8d28a657624. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41907
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41907
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41908
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. An input token
that is not a UTF-8 bytestring will trigger a CHECK
fail in tf.raw_ops.PyFunc
. We have patched the issue in GitHub commit 9f03a9d3bafe902c1e6beb105b2f24172f238645. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41908
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41908
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-41909
Vulnerable Library - tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/69/c2/35cd97ea12da1792c4e55f81e0e983f2a8316a29827895e14816cdaa4502/tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl
Path to dependency file: /docs/sphinx_requirements.txt
Path to vulnerable library: /docs/sphinx_requirements.txt,/tmp/ws-scm/face
Dependency Hierarchy:
- ❌ tensorflow-2.8.3-cp37-cp37m-manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
Vulnerability Details
TensorFlow is an open source platform for machine learning. An input encoded
that is not a valid CompositeTensorVariant
tensor will trigger a segfault in tf.raw_ops.CompositeTensorVariantToComponents
. We have patched the issue in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and 660ce5a89eb6766834bdc303d2ab3902aef99d3d. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Publish Date: 2022-11-18
URL: CVE-2022-41909
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-41909
Release Date: 2022-11-18
Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0
Step up your Open Source Security Game with Mend here