CVE-2022-23573

Tensorflow is an Open Source Machine Learning Framework. The implementation of `AssignOp` can result in copying uninitialized data to a new tensor. This later results in undefined behavior. The implementation has a check that the left hand side of the assignment is initialized (to minimize number of allocations), but does not check that the right hand side is also initialized. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.7.0:*:*:*:*:*:*:*

History

10 Feb 2022, 15:32

Type Values Removed Values Added
CPE cpe:2.3:a:google:tensorflow:2.7.0:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 6.5
v3 : 8.8
References (MISC) https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/assign_op.h#L30-L143 - (MISC) https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/assign_op.h#L30-L143 - Exploit, Third Party Advisory
References (CONFIRM) https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q85f-69q7-55h2 - (CONFIRM) https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q85f-69q7-55h2 - Patch, Third Party Advisory
References (MISC) https://github.com/tensorflow/tensorflow/commit/ef1d027be116f25e25bb94a60da491c2cf55bd0b - (MISC) https://github.com/tensorflow/tensorflow/commit/ef1d027be116f25e25bb94a60da491c2cf55bd0b - Patch, Third Party Advisory

04 Feb 2022, 23:28

Type Values Removed Values Added
New CVE

Information

Published : 2022-02-04 23:15

Updated : 2024-02-04 22:08


NVD link : CVE-2022-23573

Mitre link : CVE-2022-23573

CVE.ORG link : CVE-2022-23573


JSON object : View

Products Affected

google

  • tensorflow
CWE
CWE-908

Use of Uninitialized Resource