5.5

CVE-2022-29200

Exploit

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.LSTMBlockCell` does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack. The code does not validate the ranks of any of the arguments to this API call. This results in `CHECK`-failures when the elements of the tensor are accessed. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GoogleTensorflow Version < 2.6.4
GoogleTensorflow Version >= 2.7.0 < 2.7.2
GoogleTensorflow Version2.7.0 Updaterc0
GoogleTensorflow Version2.7.0 Updaterc1
GoogleTensorflow Version2.8.0 Update-
GoogleTensorflow Version2.8.0 Updaterc0
GoogleTensorflow Version2.8.0 Updaterc1
GoogleTensorflow Version2.9.0 Updaterc0
GoogleTensorflow Version2.9.0 Updaterc1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.04% 0.125
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 2.1 3.9 2.9
AV:L/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-1284 Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.