Multiple vulnerabilities in TensorFlow
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2022-29191 CVE-2022-29208 CVE-2022-29213 |
| CWE-ID | CWE-20 CWE-787 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
TensorFlow Server applications / Other server solutions |
| Vendor | TensorFlow |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU65774
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-29191
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the "GetSessionTensor". A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTensorFlow: 2.0.0 - 2.8.0
External linkshttp://github.com/tensorflow/tensorflow/security/advisories/GHSA-fv25-wrff-wf86
http://github.com/tensorflow/tensorflow/commit/48305e8ffe5246d67570b64096a96f8e315a7281
http://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/core/kernels/session_ops.cc#L94-L112
http://github.com/tensorflow/tensorflow/releases/tag/v2.6.4
http://github.com/tensorflow/tensorflow/releases/tag/v2.7.2
http://github.com/tensorflow/tensorflow/releases/tag/v2.8.1
http://github.com/tensorflow/tensorflow/releases/tag/v2.9.0
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds write
EUVDB-ID: #VU65777
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-29208
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in "EditDistance". A local user can trigger out-of-bounds write and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTensorFlow: 2.0.0 - 2.8.0
External linkshttp://github.com/tensorflow/tensorflow/releases/tag/v2.6.4
http://github.com/tensorflow/tensorflow/commit/30721cf564cb029d34535446d6a5a6357bebc8e7
http://github.com/tensorflow/tensorflow/releases/tag/v2.7.2
http://github.com/tensorflow/tensorflow/releases/tag/v2.8.1
http://github.com/tensorflow/tensorflow/releases/tag/v2.9.0
http://github.com/tensorflow/tensorflow/security/advisories/GHSA-2r2f-g8mw-9gvr
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU65775
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-29213
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in "tf.compat.v1.signal.rfft2d" and "tf.compat.v1.signal.rfft3d". A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTensorFlow: 2.0.0 - 2.8.0
External linkshttp://github.com/tensorflow/tensorflow/issues/55263
http://github.com/tensorflow/tensorflow/commit/0a8a781e597b18ead006d19b7d23d0a369e9ad73
http://github.com/tensorflow/tensorflow/releases/tag/v2.6.4
http://github.com/tensorflow/tensorflow/releases/tag/v2.7.2
http://github.com/tensorflow/tensorflow/releases/tag/v2.8.1
http://github.com/tensorflow/tensorflow/releases/tag/v2.9.0
http://github.com/tensorflow/tensorflow/security/advisories/GHSA-5889-7v45-q28m
http://github.com/tensorflow/tensorflow/pull/55274
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
