8.8

CVE-2022-21740

Exploit

Heap overflow in Tensorflow

Tensorflow is an Open Source Machine Learning Framework. The implementation of `SparseCountSparseOutput` is vulnerable to a heap overflow. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GoogleTensorflow Version <= 2.5.2
GoogleTensorflow Version >= 2.6.0 <= 2.6.2
GoogleTensorflow Version2.7.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.79% 0.515
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
security-advisories@github.com 7.6 2.8 4.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/count_ops.cc#L168-L273
Third Party Advisory
Exploit
https://github.com/tensorflow/tensorflow/commit/2b7100d6cdff36aa21010a82269bc05a6d1cc74a
Patch
Third Party Advisory
https://github.com/tensorflow/tensorflow/commit/adbbabdb0d3abb3cdeac69e38a96de1d678b24b3
Patch
Third Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-44qp-9wwf-734r
Patch
Third Party Advisory