PT-2022-16081 · Google · Tensorflow
Mihaimaruseac
·
Published
2022-02-04
·
Updated
2024-03-06
·
CVE-2022-23565
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
TensorFlow versions prior to 2.8.0
TensorFlow versions 2.7.1, 2.6.3, and 2.5.3 are also affected
Description
An attacker can trigger denial of service via assertion failure by altering a
SavedModel on disk such that AttrDefs of some operation are duplicated.Recommendations
For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later.
For versions 2.7.1, 2.6.3, and 2.5.3, update to the respective cherrypicked versions.
As a temporary workaround, consider restricting access to
SavedModel files to minimize the risk of exploitation.Exploit
Fix
Assertion Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tensorflow