Safety vulnerability ID: 44785
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-21733: The implementation of 'StringNGrams' can be used to trigger a denial of service attack by causing an out of memory condition after an integer overflow. There is missing a validation on 'pad_witdh' and that result in computing a negative value for 'ngram_width' which is later used to allocate parts of the output.
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-98j8-c9q4-r38g
Latest version: 2.18.0
TensorFlow is an open source machine learning framework for everyone.
Tensorflow is an Open Source Machine Learning Framework. The implementation of `StringNGrams` can be used to trigger a denial of service attack by causing an out of memory condition after an integer overflow. We are missing a validation on `pad_witdh` and that result in computing a negative value for `ngram_width` which is later used to allocate parts of the output. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. See CVE-2022-21733.
CONFIRM:https://github.com/tensorflow/tensorflow/security/advisories/GHSA-98j8-c9q4-r38g: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-98j8-c9q4-r38g
MISC:https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/string_ngrams_op.cc#L29-L161: https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/string_ngrams_op.cc#L29-L161
MISC:https://github.com/tensorflow/tensorflow/commit/f68fdab93fb7f4ddb4eb438c8fe052753c9413e8: https://github.com/tensorflow/tensorflow/commit/f68fdab93fb7f4ddb4eb438c8fe052753c9413e8
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application