CVE-2022-23560

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions TensorFlow versions 2.5.3 through 2.7.1 TensorFlow version 2.8.0 is not affected, as it includes the fix.

Description An attacker can craft a TFLite model that would allow limited reads and writes outside of arrays in TFLite. This exploits missing validation in the conversion from sparse tensors to dense tensors.

Recommendations For TensorFlow versions 2.5.3, 2.6.3, and 2.7.1, upgrade to the respective patched versions as soon as possible. For TensorFlow versions prior to 2.8.0, upgrade to version 2.8.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of TFLite models until a patch is applied.

Exploit

Fix

Out of bounds Read

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125CWE-787

Related Identifiers

BIT-TENSORFLOW-2022-23560

CVE-2022-23560

GHSA-4HVF-HXVG-F67V

OPENSUSE-SU-2024:12116-1

PYSEC-2022-124

PYSEC-2022-69

Affected Products

Tensorflow

CVE-2022-23560

Weakness Enumeration

Related Identifiers

Affected Products

References · 14