Multiple vulnerabilities in TensorFlow
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2022-29191 CVE-2022-29208 CVE-2022-29213 |
| CWE-ID | CWE-20 CWE-787 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
TensorFlow Server applications / Other server solutions |
| Vendor | TensorFlow |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU65774
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-29191
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the "GetSessionTensor". A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTensorFlow: 2.0.0 - 2.8.0
CPE2.3- cpe:2.3:a:tensorflow:tensorflow:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:tensorflow:tensorflow:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:tensorflow:tensorflow:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:tensorflow:tensorflow:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:tensorflow:tensorflow:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:tensorflow:tensorflow:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:tensorflow:tensorflow:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:tensorflow:tensorflow:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:tensorflow:tensorflow:2.8.0:*:*:*:*:*:*:*
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fv25-wrff-wf86
https://github.com/tensorflow/tensorflow/commit/48305e8ffe5246d67570b64096a96f8e315a7281
https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/core/kernels/session_ops.cc#L94-L112
https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4
https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2
https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1
https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds write
EUVDB-ID: #VU65777
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-29208
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in "EditDistance". A local user can trigger out-of-bounds write and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTensorFlow: 2.0.0 - 2.8.0
CPE2.3https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4
https://github.com/tensorflow/tensorflow/commit/30721cf564cb029d34535446d6a5a6357bebc8e7
https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2
https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1
https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2r2f-g8mw-9gvr
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU65775
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-29213
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in "tf.compat.v1.signal.rfft2d" and "tf.compat.v1.signal.rfft3d". A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTensorFlow: 2.0.0 - 2.8.0
CPE2.3https://github.com/tensorflow/tensorflow/issues/55263
https://github.com/tensorflow/tensorflow/commit/0a8a781e597b18ead006d19b7d23d0a369e9ad73
https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4
https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2
https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1
https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-5889-7v45-q28m
https://github.com/tensorflow/tensorflow/pull/55274
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
