PT-2022-26139 · Google · Tensorflow
Published
2022-11-18
·
Updated
2024-03-06
·
CVE-2022-41908
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
TensorFlow versions prior to 2.11
TensorFlow version 2.10.1
TensorFlow version 2.9.3
TensorFlow version 2.8.4
Description
TensorFlow is an open source platform for machine learning. An input
token that is not a UTF-8 bytestring will trigger a CHECK fail in tf.raw ops.PyFunc.Recommendations
For TensorFlow versions prior to 2.11, update to version 2.11 or later.
For TensorFlow version 2.10.1, apply the patch from GitHub commit 9f03a9d3bafe902c1e6beb105b2f24172f238645.
For TensorFlow version 2.9.3, apply the patch from GitHub commit 9f03a9d3bafe902c1e6beb105b2f24172f238645.
For TensorFlow version 2.8.4, apply the patch from GitHub commit 9f03a9d3bafe902c1e6beb105b2f24172f238645.
As a temporary workaround, consider validating the input
token to ensure it is a UTF-8 bytestring before passing it to tf.raw ops.PyFunc.Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tensorflow