Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-41909

TensorFlow is an open source platform for machine learning. An input `encoded` that is not a valid `CompositeTensorVariant` tensor will trigger a segfault in `tf.raw_ops.CompositeTensorVariantToComponents`. We have patched the issue in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and 660ce5a89eb6766834bdc303d2ab3902aef99d3d. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Published

2022-11-18T22:15:22.223

Last Modified

2024-11-21T07:24:02.807

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.8 (MEDIUM)

Weaknesses

Type: Secondary
CWE-20
Type: Primary
CWE-476

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	google	tensorflow	< 2.8.4	Yes
Application	google	tensorflow	< 2.9.3	Yes
Application	google	tensorflow	2.10.0	Yes

References

https://github.com/tensorflow/tensorflow/blob/master/tensorflow/python/lib/core/py_func.cc Third Party Advisory ([email protected])
https://github.com/tensorflow/tensorflow/commit/660ce5a89eb6766834bdc303d2ab3902aef99d3d Patch, Third Party Advisory ([email protected])
https://github.com/tensorflow/tensorflow/commit/bf594d08d377dc6a3354d9fdb494b32d45f91971 Patch, Third Party Advisory ([email protected])
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjx6-v474-2ch9 Exploit, Patch, Third Party Advisory ([email protected])
https://github.com/tensorflow/tensorflow/blob/master/tensorflow/python/lib/core/py_func.cc Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/tensorflow/tensorflow/commit/660ce5a89eb6766834bdc303d2ab3902aef99d3d Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/tensorflow/tensorflow/commit/bf594d08d377dc6a3354d9fdb494b32d45f91971 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjx6-v474-2ch9 Exploit, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)