Описание
TensorFlow is an open source platform for machine learning. If QuantizedAdd is given min_input or max_input tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 49b3824d83af706df0ad07e4e677d88659756d89. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
Ссылки
- PatchThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 2.7.0 (включая) до 2.7.2 (исключая)Версия от 2.8.0 (включая) до 2.8.1 (исключая)Версия от 2.9.0 (включая) до 2.9.1 (исключая)
Одно из
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.10:rc0:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.10:rc1:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.10:rc2:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.10:rc3:*:*:*:*:*:*
EPSS
Процентиль: 19%
0.00061
Низкий
5.9 Medium
CVSS3
7.5 High
CVSS3
Дефекты
CWE-20
NVD-CWE-noinfo
Связанные уязвимости
CVSS3: 5.9
debian
больше 3 лет назад
TensorFlow is an open source platform for machine learning. If `Quanti ...
CVSS3: 5.9
github
больше 3 лет назад
TensorFlow vulnerable to segfault in `QuantizedAdd`
EPSS
Процентиль: 19%
0.00061
Низкий
5.9 Medium
CVSS3
7.5 High
CVSS3
Дефекты
CWE-20
NVD-CWE-noinfo