SB2022051758 - Multiple vulnerabilities in TensorFlow

Description

This security bulletin contains information about 77 vulnerabilities.

1) Incorrect Calculation of Buffer Size (CVE-ID: CVE-2022-41885)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to TensorFlow overflows when `tf.raw_ops.FusedResizeAndPadConv2D` is given a large tensor shape. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

2) Heap-based buffer overflow (CVE-ID: CVE-2022-29210)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a heap-based buffer overflow in the TensorKey hash function when hashing tensor data. A remote attacker can supply a specially crafted tensor to trigger out-of-bounds memory access and cause a denial of service.

3) Type Confusion (CVE-ID: CVE-2022-29209)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to type confusion in TensorFlow assertion macros when comparing size_t and int values. A remote attacker can trigger incorrect CHECK assertions to cause a denial of service.

4) Input validation error (CVE-ID: CVE-2022-29212)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of quantization scale values in QuantizeMultiplierSmallerThanOneExp when loading a crafted TFLite model with quantization. A remote attacker can supply a specially crafted model to cause a denial of service.

The issue triggers a TFLITE_CHECK_LT assertion and aborts the process.

5) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2022-29211)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of NaN values in tf.histogram_fixed_width when processing input containing NaN elements on the CPU implementation. A local user can supply crafted input containing NaN values to cause a denial of service.

Only the CPU implementation is affected.

6) Input validation error (CVE-ID: CVE-2022-29202)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in tf.ragged.constant when processing user-supplied input arguments. A remote attacker can supply a crafted ragged_rank value to cause a denial of service.

The issue can consume all available memory.

7) Input validation error (CVE-ID: CVE-2022-29204)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in tf.raw_ops.UnsortedSegmentJoin when processing a crafted num_segments argument. A remote attacker can supply a negative num_segments value to cause a denial of service.

The issue results in a CHECK-failure triggered by an assertion failure during output tensor allocation.

8) Integer overflow (CVE-ID: CVE-2022-29203)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to integer overflow in tf.raw_ops.SpaceToBatchND when processing crafted input tensors. A remote attacker can supply a specially crafted block_shape value to trigger an assertion failure and cause a denial of service.

The overflowed result is used to allocate the output tensor.

9) Input validation error (CVE-ID: CVE-2022-29201)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in tf.raw_ops.QuantizedConv2D when processing crafted input arguments. A remote attacker can supply empty tensor arguments to trigger undefined behavior and cause a denial of service.

10) Out-of-bounds write (CVE-ID: CVE-2022-36027)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to memory corruption in the TFLite converter when converting transposed convolutions with per-channel weight quantization. A local user can convert a specially crafted model to cause a denial of service.

11) Input validation error (CVE-ID: CVE-2022-36026)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in QuantizeAndDequantizeV3 when processing a nonscalar num_bits input tensor. A remote attacker can supply a crafted input tensor to cause a denial of service.

12) Input validation error (CVE-ID: CVE-2022-36016)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in tensorflow::full_type::SubstituteFromAttrs when processing a FullTypeDef input. A remote attacker can supply a crafted FullTypeDef with an invalid number of arguments to cause a denial of service.

13) Integer overflow (CVE-ID: CVE-2022-36015)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to integer overflow in RangeSize in tensorflow/core/ops/math_ops.cc when processing crafted range values that do not fit into an int64_t. A remote attacker can supply crafted input values to trigger a crash to cause a denial of service.

14) NULL pointer dereference (CVE-ID: CVE-2022-36013)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a null pointer dereference in mlir::tfg::GraphDefImporter::ConvertNodeDef when converting NodeDefs without an op name. A remote attacker can supply a crafted GraphDef containing a NodeDef with an empty op field to cause a denial of service.

15) Input validation error (CVE-ID: CVE-2022-36012)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in mlir::tfg::ConvertGenericFunctionToFunctionDef when processing empty function attributes. A remote attacker can supply crafted input with empty edge names to cause a denial of service.

16) NULL pointer dereference (CVE-ID: CVE-2022-36011)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a null pointer dereference in mlir::tfg::ConvertGenericFunctionToFunctionDef when processing empty function attributes. A remote attacker can provide crafted function attributes with an empty attribute name to cause a denial of service.

17) Input validation error (CVE-ID: CVE-2022-36005)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in FakeQuantWithMinMaxVarsGradient when processing nonscalar min or max inputs. A local user can supply crafted nonscalar min or max values to cause a denial of service.

18) Input validation error (CVE-ID: CVE-2022-36004)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in tf.random.gamma when processing large input shape and rate values. A remote attacker can supply crafted input tensors to trigger a process crash and cause a denial of service.

19) Input validation error (CVE-ID: CVE-2022-36003)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in RandomPoissonV2 when processing large input shape and rate values. A remote attacker can supply crafted inputs to trigger a CHECK failure and cause a denial of service.

20) Input validation error (CVE-ID: CVE-2022-36002)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in Unbatch when processing a nonscalar input id. A local user can supply a crafted nonscalar id value to cause a denial of service.

21) Input validation error (CVE-ID: CVE-2022-36001)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in DrawBoundingBoxes when processing input tensors with an unexpected dtype. A local user can supply a crafted input tensor to cause a denial of service.

22) Input validation error (CVE-ID: CVE-2022-36000)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in Eig when processing an incorrect Tout input. A remote attacker can supply a mismatched Tout value to trigger a CHECK failure and cause a denial of service.

23) Input validation error (CVE-ID: CVE-2022-35999)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in Conv2DBackpropInput when processing empty out_backprop inputs. A remote attacker can supply a crafted input tensor to cause a denial of service.

The issue affects the CPU and GPU kernels.

24) Input validation error (CVE-ID: CVE-2022-35998)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in EmptyTensorList when processing an element_shape input with more than one dimension. A remote attacker can supply a specially crafted element_shape value to cause a denial of service.

25) Input validation error (CVE-ID: CVE-2022-35997)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in tf.sparse.cross when processing a non-scalar separator input. A local user can supply a specially crafted separator value to cause a denial of service.

26) Division by zero (CVE-ID: CVE-2022-35996)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to division by zero in the Conv2D operation when processing an empty input tensor with valid filter and padding sizes. A remote attacker can supply crafted input values to cause a denial of service.

The issue can be triggered on CPU and GPU.

27) Input validation error (CVE-ID: CVE-2022-35995)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in AudioSummaryV2 when processing a sample_rate input with more than one element. A remote attacker can supply a crafted sample_rate tensor to cause a denial of service.

28) Input validation error (CVE-ID: CVE-2022-35994)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in CollectiveGather when processing a scalar input. A local user can supply a scalar input to trigger a check failure and cause a denial of service.

29) Input validation error (CVE-ID: CVE-2022-35993)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in SetSize when processing a set_shape input that is not a 1d tensor. A remote attacker can supply a malformed set_shape argument to cause a denial of service.

30) Input validation error (CVE-ID: CVE-2022-35992)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in TensorListFromTensor when processing a crafted element_shape input with a rank greater than one. A remote attacker can send crafted input to trigger a CHECK failure and cause a denial of service.

31) Input validation error (CVE-ID: CVE-2022-35990)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in FakeQuantWithMinMaxVarsPerChannelGradient when processing min or max inputs with a rank other than 1. A local user can supply crafted input tensors to cause a denial of service.

32) Input validation error (CVE-ID: CVE-2022-35989)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the MaxPool GPU kernel when processing a window size input array larger than the input tensor. A remote attacker can supply a crafted ksize input to trigger a CHECK fail and cause a denial of service.

The issue occurs when using the MaxPool operation with GPU execution.

33) Input validation error (CVE-ID: CVE-2022-35988)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in tf.linalg.matrix_rank when processing an empty input tensor on the GPU kernel. A remote attacker can supply a crafted empty input to cause a denial of service.

The issue is triggered when the operation receives an empty input a.

34) Input validation error (CVE-ID: CVE-2022-35987)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the DenseBincount operation when processing input tensors with a weights tensor whose shape differs from the input tensor and is not length-0. A local user can supply crafted tensor inputs to trigger a check failure and cause a denial of service.

35) Input validation error (CVE-ID: CVE-2022-35986)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in RaggedBincount when processing an empty input tensor for splits. A local user can supply a crafted empty splits tensor to cause a denial of service.

36) Input validation error (CVE-ID: CVE-2022-35985)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in LRNGrad when processing an output_image input tensor that is not 4-D. A local user can supply a crafted input tensor to cause a denial of service.

37) Input validation error (CVE-ID: CVE-2022-35984)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in ParameterizedTruncatedNormal when processing a valid shape argument of type int64. A remote attacker can supply a crafted shape input to cause a denial of service.

The issue is triggered by a mismatched type CHECK failure because the operation assumes the shape input is int32.

38) Input validation error (CVE-ID: CVE-2022-35983)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in Save and SaveSlices when processing tensors of an unsupported dtype. A local user can supply a tensor with an unsupported dtype to cause a denial of service.

39) Input validation error (CVE-ID: CVE-2022-35982)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in SparseBincount when processing inputs for indices, values, and dense_shape that do not form a valid sparse tensor. A remote attacker can send crafted input to cause a denial of service.

40) Input validation error (CVE-ID: CVE-2022-36018)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in RaggedTensorToVariant when processing an rt_nested_splits list containing tensors with ranks other than one. A remote attacker can supply crafted input to trigger a CHECK failure and cause a denial of service.

41) Input validation error (CVE-ID: CVE-2022-35981)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in FractionalMaxPoolGrad when processing incorrectly sized inputs. A remote attacker can send crafted input tensors to cause a denial of service.

42) Input validation error (CVE-ID: CVE-2022-35979)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in QuantizedRelu and QuantizedRelu6 when processing nonscalar min_features or max_features inputs. A local user can supply crafted input tensors to cause a denial of service.

43) Input validation error (CVE-ID: CVE-2022-35974)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in QuantizeDownAndShrinkRange when processing nonscalar input_min or input_max inputs. A local user can supply crafted inputs to cause a denial of service.

44) Input validation error (CVE-ID: CVE-2022-35973)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in QuantizedMatMul when processing nonscalar input for min_a, max_a, min_b, or max_b. A local user can supply crafted input tensors to cause a denial of service.

45) Input validation error (CVE-ID: CVE-2022-36019)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in FakeQuantWithMinMaxVarsPerChannel when processing min or max tensors with a rank other than one. A remote attacker can supply crafted tensor inputs to cause a denial of service.

46) Input validation error (CVE-ID: CVE-2022-35972)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in QuantizedBiasAdd when processing min_input, max_input, min_bias, and max_bias tensors of a nonzero rank. A local user can supply crafted tensor inputs to cause a denial of service.

47) Input validation error (CVE-ID: CVE-2022-36017)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the Requantize operation when processing input_min, input_max, requested_output_min, and requested_output_max tensors of nonzero rank. A local user can supply crafted tensors to trigger a segmentation fault and cause a denial of service.

48) Input validation error (CVE-ID: CVE-2022-35971)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in FakeQuantWithMinMaxVars when processing min or max tensors of nonzero rank. A remote attacker can supply crafted input tensors to cause a denial of service.

49) Input validation error (CVE-ID: CVE-2022-35970)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in QuantizedInstanceNorm when processing x_min or x_max tensors of a nonzero rank. A local user can supply crafted x_min or x_max tensor inputs to cause a denial of service.

50) Input validation error (CVE-ID: CVE-2022-35969)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in Conv2DBackpropInput when processing a crafted input_sizes argument. A local user can supply a non-4-dimensional input_sizes value to cause a denial of service.

51) Input validation error (CVE-ID: CVE-2022-35968)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in AvgPoolGrad when processing the orig_input_shape input. A remote attacker can supply a crafted orig_input_shape value to cause a denial of service.

52) Input validation error (CVE-ID: CVE-2022-35967)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in QuantizedAdd when processing min_input or max_input tensors of a nonzero rank. A remote attacker can supply crafted tensor inputs to cause a denial of service.

53) Input validation error (CVE-ID: CVE-2022-35966)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in QuantizedAvgPool when processing min_input or max_input tensors of a nonzero rank. A local user can supply crafted tensors to trigger a segmentation fault and cause a denial of service.

54) NULL pointer dereference (CVE-ID: CVE-2022-35965)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a nullptr dereference in the LowerBound and UpperBound operations when processing an empty sorted_inputs input. A local user can supply crafted input tensors to trigger a segmentation fault and cause a denial of service.

55) Input validation error (CVE-ID: CVE-2022-35964)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in BlockLSTMGradV2 when parsing input tensors. A local user can supply tensors with invalid ranks to cause a denial of service.

56) Integer overflow (CVE-ID: CVE-2022-35963)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to integer overflow in FractionalAvgPoolGrad when processing a crafted orig_input_tensor_shape input. A local user can supply a crafted orig_input_tensor_shape value to cause a denial of service.

57) Integer overflow (CVE-ID: CVE-2022-35959)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to integer overflow in AvgPool3DGradOp when processing a crafted orig_input_shape input. A remote attacker can supply a specially crafted orig_input_shape value to cause a denial of service.

58) Input validation error (CVE-ID: CVE-2022-35952)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in UnbatchGradOp when processing crafted id or batch_index arguments. A local user can supply a nonscalar id or an incorrectly sized batch_index to cause a denial of service.

59) Integer overflow (CVE-ID: CVE-2022-35940)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to integer overflow in RaggedRangeOp when converting a very large floating-point limits value to int64. A remote attacker can supply a specially crafted limits argument to cause a denial of service.

60) Out-of-bounds write (CVE-ID: CVE-2022-35939)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in the ScatterNd function when parsing input that supplies tensor indices. A local user can provide crafted indices greater than the output tensor bounds or less than zero to cause a denial of service.

61) Out-of-bounds read (CVE-ID: CVE-2022-35938)

The vulnerability allows a remote attacker to cause a denial of service or disclose sensitive information.

The vulnerability exists due to out-of-bounds read in the GatherNd function when processing crafted input tensors with indices greater than or equal to the output sizes. A remote attacker can supply specially crafted input tensors to cause a denial of service or disclose sensitive information.

62) Input validation error (CVE-ID: CVE-2022-35960)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in TensorListReserve when processing a num_elements tensor with more than one element. A remote attacker can provide a crafted num_elements input to cause a denial of service.

63) Out-of-bounds read (CVE-ID: CVE-2022-35937)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in the GatherNd operation in TensorFlow Lite when parsing crafted input that controls input and output sizes. A remote attacker can supply values greater than or equal to the output sizes to disclose sensitive information.

64) Integer overflow (CVE-ID: CVE-2022-35934)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to integer overflow in tf.reshape when processing a user-supplied shape tensor. A local user can supply a crafted shape value to cause a denial of service.

65) Input validation error (CVE-ID: CVE-2022-29206)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in tf.raw_ops.SparseTensorDenseAdd when processing crafted input tensors. A local user can supply inconsistent tensor arguments to trigger undefined behavior and crash the process to cause a denial of service.

A reference is bound to a nullptr during kernel execution.

66) NULL pointer dereference (CVE-ID: CVE-2022-29205)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a null pointer dereference in ParseDimensionValue when processing tf.compat.v1 ops with quantized types that lack kernel support. A local user can call a vulnerable operation with a crafted quantized type input to cause a denial of service.

67) NULL pointer dereference (CVE-ID: CVE-2022-29207)

The vulnerability allows a local user to cause undefined behavior.

The vulnerability exists due to a null pointer dereference in TensorFlow resource handle processing when handling invalid resource handles in eager mode. A local user can supply an empty or otherwise invalid resource handle to trigger undefined behavior.

The issue is reachable in eager mode, while the same API calls would be impossible in graph mode.

68) Input validation error (CVE-ID: CVE-2022-29196)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in tf.raw_ops.Conv3DBackpropFilterV2 when processing the filter_sizes argument. A local user can supply a malformed filter_sizes argument to cause a denial of service.

The issue is triggered because the filter_sizes argument is not validated to be a vector.

69) Input validation error (CVE-ID: CVE-2022-29200)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in tf.raw_ops.LSTMBlockCell when parsing input arguments. A remote attacker can send crafted input tensors with invalid ranks to trigger a CHECK-failure and cause a denial of service.

70) Input validation error (CVE-ID: CVE-2022-29198)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in tf.raw_ops.SparseTensorToCSRSparseMatrix when processing crafted sparse tensor arguments. A remote attacker can send malformed input tensors to trigger a CHECK-failure and cause a denial of service.

71) Input validation error (CVE-ID: CVE-2022-29199)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in tf.raw_ops.LoadAndRemapMatrix when parsing input arguments. A local user can supply a crafted tensor input to trigger a CHECK-failure and cause a denial of service.

72) Input validation error (CVE-ID: CVE-2022-29197)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in tf.raw_ops.UnsortedSegmentJoin when processing user-supplied input arguments. A remote attacker can supply a crafted num_segments input to trigger a CHECK-failure and cause a denial of service.

73) Input validation error (CVE-ID: CVE-2022-29195)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in tf.raw_ops.StagePeek when parsing input arguments. A local user can supply a crafted non-scalar index input to trigger a CHECK failure and cause a denial of service.

74) Input validation error (CVE-ID: CVE-2022-29194)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in tf.raw_ops.DeleteSessionTensor when processing a crafted handle argument. A remote attacker can supply a non-scalar handle value to trigger a CHECK failure and cause a denial of service.

75) Input validation error (CVE-ID: CVE-2022-29192)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in tf.raw_ops.QuantizeAndDequantizeV4Grad when processing crafted input arguments. A remote attacker can supply non-scalar input_min or input_max values to cause a denial of service.

The issue results in a CHECK-failure because the implementation assumes input_min and input_max are scalars without validating this condition.

76) Input validation error (CVE-ID: CVE-2022-29193)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in tf.raw_ops.TensorSummaryV2 when parsing input. A local user can supply a crafted serialized_summary_metadata argument to cause a denial of service.

77) Code Injection (CVE-ID: CVE-2022-29216)

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to code injection in saved_model_cli when parsing user-supplied input expressions. A local user can supply a specially crafted --input_exprs argument to execute arbitrary code.

The vulnerable code path is reachable through compatibility handling for numpy expressions, and exploitation requires manual use of the tool.

Remediation

Install update from vendor's website.

References

• https://github.com/tensorflow/tensorflow/commit/d66e1d568275e6a2947de97dca7a102a211e01ce
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-762h-vpvw-3rcx
• https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/conv_ops_fused_image_transform.cc
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-hc2f-7r5r-r2hg
• https://github.com/tensorflow/tensorflow/commit/1b85a28d395dc91f4d22b5f9e1e9a22e92ccecd6
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-f4rr-5m7v-wxcw
• https://github.com/tensorflow/tensorflow/commit/b917181c29b50cb83399ba41f4d938dc369109a1
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8wwm-6264-x792
• https://github.com/tensorflow/tensorflow/commit/a989426ee1346693cc015792f11d715f6944f2b8
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xrp2-fhq4-4q3w
• https://github.com/tensorflow/tensorflow/commit/e57fd691c7b0fd00ea3bfe43444f30c1969748b5
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cwpm-f78v-7m5c
• https://github.com/tensorflow/tensorflow/commit/bd4d5583ff9c8df26d47a23e508208844297310e
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-hx9q-2mx4-m4pg
• https://github.com/tensorflow/tensorflow/commit/84563f265f28b3c36a15335c8b005d405260e943
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-jjm6-4vf7-cjh4
• https://github.com/tensorflow/tensorflow/commit/acd56b8bcb72b163c834ae4f18469047b001fadf
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-pqhm-4wvf-2jg8
• https://github.com/tensorflow/tensorflow/commit/0f0b080ecde4d3dfec158d6f60da34d5e31693c4
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-79h2-q768-fpxr
• https://github.com/tensorflow/tensorflow/commit/aa0b852a4588cea4d36b74feb05d93055540b450
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9cr2-8pwr-fhfq
• https://github.com/tensorflow/tensorflow/commit/f3f9cb38ecfe5a8a703f2c4a8fead434ef291713
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-g468-qj8g-vcjc
• https://github.com/tensorflow/tensorflow/commit/6104f0d4091c260ce9352f9155f7e9b725eab012
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rh87-q4vg-m45j
• https://github.com/tensorflow/tensorflow/commit/37e64539cd29fcfb814c4451152a60f5d107b0f0
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-828c-5j5q-vrjq
• https://github.com/tensorflow/tensorflow/commit/a0f0b9a21c9270930457095092f558fbad4c03e5
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-jvhc-5hhr-w3v5
• https://github.com/tensorflow/tensorflow/commit/ad069af92392efee1418c48ff561fd3070a03d7b
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fv43-93gv-vm8f
• https://github.com/tensorflow/tensorflow/commit/1cf45b831eeb0cab8655c9c7c5d06ec6f45fc41b
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-r26c-679w-mrjm
• https://github.com/tensorflow/tensorflow/commit/f3cf67ac5705f4f04721d15e485e192bb319feed
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mv8m-8x97-937q
• https://github.com/tensorflow/tensorflow/commit/552bfced6ce4809db5f3ca305f60ff80dd40c5a3
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cv2p-32v3-vhwq
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mh3m-62v7-68xg
• https://github.com/tensorflow/tensorflow/commit/4419d10d576adefa36b0e0a9425d2569f7c0189f
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-jqm7-m5q7-3hm5
• https://github.com/tensorflow/tensorflow/commit/da0d65cdc1270038e72157ba35bf74b85d9bda11
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fqxc-pvf8-2w9v
• https://github.com/tensorflow/tensorflow/commit/aed36912609fc07229b4d0a7b44f3f48efc00fd0
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-37jf-mjv6-xfqw
• https://github.com/tensorflow/tensorflow/commit/27a65a43cf763897fecfa5cdb5cc653fc5dd0346
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qhw4-wwr7-gjc5
• https://github.com/tensorflow/tensorflow/commit/c8ba76d48567aed347508e0552a257641931024d
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-p7hr-f446-x6qf
• https://github.com/tensorflow/tensorflow/commit/83dcb4dbfa094e33db084e97c4d0531a559e0ebf
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q5jv-m6qw-5g37
• https://github.com/tensorflow/tensorflow/commit/611d80db29dd7b0cfb755772c69d60ae5bca05f9
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-g9h5-vr8m-x2h4
• https://github.com/tensorflow/tensorflow/commit/bf6b45244992e2ee543c258e519489659c99fb7f
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fhfc-2q7x-929f
• https://github.com/tensorflow/tensorflow/commit/c1f491817dec39a26be3c574e86a88c30f3c4770
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wq6q-6m32-9rv9
• https://github.com/tensorflow/tensorflow/commit/cf70b79d2662c0d3c6af74583641e345fc939467
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9v8w-xmr4-wgxp
• https://github.com/tensorflow/tensorflow/commit/3db59a042a38f4338aa207922fa2f476e000a6ee
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h7ff-cfc9-wmmh
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-j43h-pgmg-5hjq
• https://github.com/tensorflow/tensorflow/commit/32d7bd3defd134f21a4e344c8dfd40099aaf6b18
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9vqj-64pv-w55c
• https://github.com/tensorflow/tensorflow/commit/c55b476aa0e0bd4ee99d0f3ad18d9d706cd1260a
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-w62h-8xjm-fv49
• https://github.com/tensorflow/tensorflow/commit/bf4c14353c2328636a18bfad1e151052c81d5f43
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wr9v-g9vf-c74v
• https://github.com/tensorflow/tensorflow/commit/7a4591fd4f065f4fa903593bc39b2f79530a74b8
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9942-r22v-78cp
• https://github.com/tensorflow/tensorflow/commit/bd90b3efab4ec958b228cd7cfe9125be1c0cf255
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-p2xf-8hgm-hpw5
• https://github.com/tensorflow/tensorflow/commit/72180be03447a10810edca700cbc9af690dfeb51
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m6vp-8q9j-whx4
• https://github.com/tensorflow/tensorflow/commit/5dd7b86b84a864b834c6fa3d7f9f51c87efa99d4
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-397c-5g2j-qxpv
• https://github.com/tensorflow/tensorflow/commit/40adbe4dd15b582b0210dfbf40c243a62f5119fa
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m6cv-4fmf-66xf
• https://github.com/tensorflow/tensorflow/commit/88f93dfe691563baa4ae1e80ccde2d5c7a143821
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vxv8-r8q2-63xw
• https://github.com/tensorflow/tensorflow/commit/8741e57d163a079db05a7107a7609af70931def4
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-v7vw-577f-vp8x
• https://github.com/tensorflow/tensorflow/commit/49b3824d83af706df0ad07e4e677d88659756d89
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vgvh-2pf4-jr2x
• https://github.com/tensorflow/tensorflow/commit/73ad1815ebcfeb7c051f9c2f7ab5024380ca8613
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v
• https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9j4v-pp28-mxv7
• https://github.com/tensorflow/tensorflow/commit/785d67a78a1d533759fcd2f5e8d6ef778de849e0
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-4pc4-m9mj-v2r9
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wqmc-pm8c-2jhc
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9fpg-838v-wpv7
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-g35r-369w-3fqp
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q2c3-jpmc-gfjx
• https://github.com/tensorflow/tensorflow/commit/50156d547b9a1da0144d7babe665cf690305b33c
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2475-53vw-vp25
• https://github.com/tensorflow/tensorflow/commit/3a6ac52664c6c095aa2b114e742b0aa17fdce78f
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-v6h3-348g-6h5x
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-4w68-4x85-mjj9
• https://github.com/tensorflow/tensorflow/commit/7cdf9d4d2083b739ec81cfdace546b0c99f50622
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qxpx-j395-pw36
• https://github.com/tensorflow/tensorflow/commit/bce3717eaef4f769019fd18e990464ca4a2efeea
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-f7r5-q7cx-h668
• https://github.com/tensorflow/tensorflow/commit/2a458fc4866505be27c62f81474ecb2b870498fa
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-84jm-4cf3-9jfm
• https://github.com/tensorflow/tensorflow/commit/03a659d7be9a1154fdf5eeac221e5950fec07dad
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wxjj-cgcx-r3vq
• https://github.com/tensorflow/tensorflow/commit/9178ac9d6389bdc54638ab913ea0e419234d14eb
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h5vq-gw2c-pq47
• https://github.com/tensorflow/tensorflow/commit/5f945fc6409a3c1e90d6970c9292f805f6e6ddf2
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-x989-q2pq-4q5x
• https://github.com/tensorflow/tensorflow/commit/37cefa91bee4eace55715eeef43720b958a01192
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-ffjm-4qwc-7cmf
• https://github.com/tensorflow/tensorflow/commit/b4d4b4cb019bd7240a52daa4ba61e3cc814f0384
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3m3g-pf5v-5hpj
• https://github.com/tensorflow/tflite-micro/commit/4142e47e9e31db481781b955ed3ff807a781b494
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-v5xg-3q2c-c2r4
• https://github.com/tensorflow/tensorflow/commit/b5f6fbfba76576202b72119897561e3bd4f179c7
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-pxrw-j2fv-hx3h
• https://github.com/tensorflow/tensorflow/commit/595a65a3e224a0362d7e68c2213acfc2b499a196
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-f4w6-h4f5-wx45
• https://github.com/tensorflow/tensorflow/commit/61f0f9b94df8c0411f0ad0ecc2fec2d3f3c33555
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rc9w-5c64-9vqq
• https://github.com/tensorflow/tensorflow/commit/11ced8467eccad9c7cb94867708be8fa5c66c730
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-54ch-gjq5-4976
• https://github.com/tensorflow/tensorflow/commit/237822b59fc504dda2c564787f5d3ad9c4aa62d9
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-5wpj-c6f7-24x8
• https://github.com/tensorflow/tensorflow/commit/a5b89cd68c02329d793356bda85d079e9e69b4e7
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-5v77-j66x-4c4g
• https://github.com/tensorflow/tensorflow/commit/174c5096f303d5be7ed2ca2662b08371bff4ab88
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2vv3-56qg-g2cf
• https://github.com/tensorflow/tensorflow/commit/803404044ae7a1efac48ba82d74111fce1ddb09a
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mg66-qvc5-rm93
• https://github.com/tensorflow/tensorflow/commit/ea50a40e84f6bff15a0912728e35b657548cef11
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-p9rc-rmr5-529j
• https://github.com/tensorflow/tensorflow/commit/3150642acbbe254e3c3c5d2232143fa591855ac9
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-hrg5-737c-2p56
• https://github.com/tensorflow/tensorflow/commit/13d38a07ce9143e044aa737cfd7bb759d0e9b400
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h48f-q7rw-hvr7
• https://github.com/tensorflow/tensorflow/commit/cebe3c45d76357d201c65bdbbf0dbe6e8a63bbdb
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h5g4-ppwx-48q2
• https://github.com/tensorflow/tensorflow/commit/cff267650c6a1b266e4b4500f69fbc49cdd773c5
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h2wq-prv9-2f56
• https://github.com/tensorflow/tensorflow/commit/098e7762d909bac47ce1dbabe6dfd06294cb9d58
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2p9q-h29j-3f5v
• https://github.com/tensorflow/tensorflow/commit/290bb05c80c327ed74fae1d089f1001b1e2a4ef7
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-75c9-jrh4-79mc
• https://github.com/tensorflow/tensorflow/commit/c5da7af048611aa29e9382371f0aed5018516cac