CVE-2023-25668

Exploit

EPSS 1.51%
Veröffentlicht 25.03.2023 00:15:07
Zuletzt bearbeitet 21.11.2024 07:49:54
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

TensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Google ≫ Tensorflow Version < 2.12.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.51%	0.805

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-122 Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://github.com/tensorflow/tensorflow/commit/7b174a0f2e40ff3f3aa957aecddfd5aaae35eccb

Patch

Exploit

https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gw97-ff7c-9v96

Patch

https://nvd.nist.gov/vuln/detail/CVE-2023-25668

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-25668

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-25668

EUVD