PT-2022-16090 · Google · Tensorflow
Mihaimaruseac
·
Published
2022-02-04
·
Updated
2024-03-06
·
CVE-2022-23573
CVSS v3.1
7.6
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H |
Name of the Vulnerable Software and Affected Versions
TensorFlow versions prior to 2.8.0
TensorFlow versions 2.7.0 through 2.7.0 (will be fixed in 2.7.1)
TensorFlow versions 2.6.0 through 2.6.2 (will be fixed in 2.6.3)
TensorFlow versions 2.5.0 through 2.5.2 (will be fixed in 2.5.3)
Description
The implementation of
AssignOp can result in copying uninitialized data to a new tensor, leading to undefined behavior. This occurs because the implementation checks if the left-hand side of the assignment is initialized but does not check the right-hand side.Recommendations
For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later.
For versions 2.7.0 through 2.7.0, update to TensorFlow 2.7.1.
For versions 2.6.0 through 2.6.2, update to TensorFlow 2.6.3.
For versions 2.5.0 through 2.5.2, update to TensorFlow 2.5.3.
Exploit
Fix
Use of Uninitialized Resource
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tensorflow