#VU95043 Integer overflow in TensorFlow - CVE-2023-33976

Cybersecurity Help s.r.o.

Published: 2024-07-31

Vulnerability identifier: #VU95043

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-33976

CWE-ID: CWE-190

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
TensorFlow
Server applications / Other server solutions

Vendor: TensorFlow

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in array_ops.upper_bound. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

TensorFlow: 2.0.0 - 2.0.4, 2.1.0 - 2.11.1, 2.2.0 - 2.2.3, 2.3.0 - 2.3.4, 2.4.0 - 2.4.4, 2.5.0 - 2.5.3, 2.6.0 - 2.6.5, 2.7.0 - 2.7.4, 2.8.0 - 2.8.4, 2.9.0 - 2.9.3

External links
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gjh7-xx4r-x345

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component update for TensorFlow

IBM Maximo Application Suite - Monitor Component update for TensorFlow

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data update for TensorFlow

Denial of service in Tensorflow