8.1

CVE-2022-21730

Exploit

Out of bounds read in Tensorflow

Tensorflow is an Open Source Machine Learning Framework. The implementation of `FractionalAvgPoolGrad` does not consider cases where the input tensors are invalid allowing an attacker to read from outside of bounds of heap. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GoogleTensorflow Version <= 2.5.2
GoogleTensorflow Version >= 2.6.0 <= 2.6.2
GoogleTensorflow Version2.7.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.82% 0.524
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.1 2.8 5.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
nvd@nist.gov 5.5 8 4.9
AV:N/AC:L/Au:S/C:P/I:N/A:P
security-advisories@github.com 8.1 2.8 5.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/fractional_avg_pool_op.cc#L209-L360
Third Party Advisory
Exploit
https://github.com/tensorflow/tensorflow/commit/002408c3696b173863228223d535f9de72a101a9
Patch
Third Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vjg4-v33c-ggc4
Patch
Third Party Advisory