CVE-2022-23563

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.0 through 2.7.0 (will be patched in 2.7.1) TensorFlow versions 2.6.0 through 2.6.2 (will be patched in 2.6.3) TensorFlow versions 2.5.0 through 2.5.2 (will be patched in 2.5.3)

Description The issue arises from TensorFlow's use of tempfile.mktemp to create temporary files, which can be dangerous in utilities and libraries as a different process can create the file between the check for the filename in mktemp and the actual creation of the file by a subsequent operation, resulting in a TOC/TOU type of weakness. In several instances, TensorFlow was supposed to create a temporary directory instead of a file, but this logic bug is hidden away by the mktemp function usage.

Recommendations For TensorFlow versions prior to 2.8.0, upgrade to version 2.8.0 or later as soon as possible. For TensorFlow versions 2.7.0 through 2.7.0, upgrade to version 2.7.1 or later. For TensorFlow versions 2.6.0 through 2.6.2, upgrade to version 2.6.3 or later. For TensorFlow versions 2.5.0 through 2.5.2, upgrade to version 2.5.3 or later. As a temporary workaround, consider replacing tempfile.mktemp with the safer mkstemp/mkdtemp functions, according to the usage pattern, until a patch is available.