CVE-2022-23562

Advisory

Tensorflow versions 2.5.3, 2.6.3, 2.7.1 and 2.8.0 include a fix for CVE-2022-23562: The implementation of 'Range' suffers from integer overflows. These can trigger undefined behavior or, in some scenarios, extremely large allocations.
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qx3f-p745-w4hr

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Tensorflow is an Open Source Machine Learning Framework. The implementation of `Range` suffers from integer overflows. These can trigger undefined behavior or, in some scenarios, extremely large allocations. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. See CVE-2022-23562.


CONFIRM:https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qx3f-p745-w4hr: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qx3f-p745-w4hr
MISC:https://github.com/tensorflow/tensorflow/commit/f0147751fd5d2ff23251149ebad9af9f03010732: https://github.com/tensorflow/tensorflow/commit/f0147751fd5d2ff23251149ebad9af9f03010732
MISC:https://github.com/tensorflow/tensorflow/issues/52676: https://github.com/tensorflow/tensorflow/issues/52676
MISC:https://github.com/tensorflow/tensorflow/pull/51733: https://github.com/tensorflow/tensorflow/pull/51733

Resources

• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qx3f-p745-w4hr
• https://github.com/tensorflow/tensorflow/commit/f0147751fd5d2ff23251149ebad9af9f03010732
• https://github.com/tensorflow/tensorflow/issues/52676
• https://github.com/tensorflow/tensorflow/pull/51733
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23562