Описание
TensorFlow is an open source platform for machine learning. When SetSize receives an input set_shape that is not a 1D tensor, it gives a CHECK fails that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit cf70b79d2662c0d3c6af74583641e345fc939467. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
Ссылки
- PatchThird Party Advisory
- Third Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.7.2 (исключая)Версия от 2.8.0 (включая) до 2.8.1 (исключая)Версия от 2.9.0 (включая) до 2.9.1 (исключая)
Одно из
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.10:rc0:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.10:rc1:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.10:rc2:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.10:rc3:*:*:*:*:*:*
EPSS
Процентиль: 19%
0.00061
Низкий
5.9 Medium
CVSS3
7.5 High
CVSS3
Дефекты
CWE-617
Связанные уязвимости
CVSS3: 5.9
debian
больше 3 лет назад
TensorFlow is an open source platform for machine learning. When `SetS ...
CVSS3: 5.9
github
больше 3 лет назад
TensorFlow vulnerable to `CHECK` fail in `SetSize`
EPSS
Процентиль: 19%
0.00061
Низкий
5.9 Medium
CVSS3
7.5 High
CVSS3
Дефекты
CWE-617