CVE-2022-23586

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a `SavedModel` such that assertions in `function.cc` would be falsified and crash the Python interpreter. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.7.0:*:*:*:*:*:*:*

History

10 Feb 2022, 17:33

Type Values Removed Values Added
References (MISC) https://github.com/tensorflow/tensorflow/commit/dcc21c7bc972b10b6fb95c2fb0f4ab5a59680ec2 - (MISC) https://github.com/tensorflow/tensorflow/commit/dcc21c7bc972b10b6fb95c2fb0f4ab5a59680ec2 - Patch, Third Party Advisory
References (CONFIRM) https://github.com/tensorflow/tensorflow/security/advisories/GHSA-43jf-985q-588j - (CONFIRM) https://github.com/tensorflow/tensorflow/security/advisories/GHSA-43jf-985q-588j - Patch, Third Party Advisory
References (MISC) https://github.com/tensorflow/tensorflow/commit/3d89911481ba6ebe8c88c1c0b595412121e6c645 - (MISC) https://github.com/tensorflow/tensorflow/commit/3d89911481ba6ebe8c88c1c0b595412121e6c645 - Patch, Third Party Advisory
References (MISC) https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/function.cc - (MISC) https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/function.cc - Exploit, Third Party Advisory
CPE cpe:2.3:a:google:tensorflow:2.7.0:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 4.0
v3 : 6.5

04 Feb 2022, 23:28

Type Values Removed Values Added
New CVE

Information

Published : 2022-02-04 23:15

Updated : 2024-02-04 22:08


NVD link : CVE-2022-23586

Mitre link : CVE-2022-23586

CVE.ORG link : CVE-2022-23586


JSON object : View

Products Affected

google

  • tensorflow
CWE
CWE-617

Reachable Assertion