CVE Vulnerability

CVE-2022-23586

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a `SavedModel` such that assertions in `function.cc` would be falsified and crash the Python interpreter. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Scope

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/tensorflow/tensorflow/commit/3d89911481ba6ebe8c88c1c0b595412121e6c645 Patch Third Party Advisory
https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/function.cc Exploit Third Party Advisory
https://github.com/tensorflow/tensorflow/commit/dcc21c7bc972b10b6fb95c2fb0f4ab5a59680ec2 Patch Third Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-43jf-985q-588j Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:google:tensorflow:2.7.0:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
Information

Published : 2022-02-04 11:15

Updated : 2022-02-10 05:33

NVD link : CVE-2022-23586

Mitre link : CVE-2022-23586

Products Affected
No products.
CWE
CWE-617