AZL-31197

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-31197.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-31197

Upstream

CVE-2023-25661

Published

2023-03-27T20:15:09Z

Modified

2026-04-21T04:26:07.668112Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

CVE-2023-25661 affecting package tensorflow for versions less than 2.11.1-1

Details

TensorFlow is an Open Source Machine Learning Framework. In versions prior to 2.11.1 a malicious invalid input crashes a tensorflow model (Check Failed) and can be used to trigger a denial of service attack. A proof of concept can be constructed with the Convolution3DTranspose function. This Convolution3DTranspose layer is a very common API in modern neural networks. The ML models containing such vulnerable components could be deployed in ML applications or as cloud services. This failure could be potentially used to trigger a denial of service attack on ML cloud services. An attacker must have privilege to provide input to a Convolution3DTranspose call. This issue has been patched and users are advised to upgrade to version 2.11.1. There are no known workarounds for this vulnerability.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-25661

Affected packages

Azure Linux:2 / tensorflow

Package

Name: tensorflow
Purl: pkg:rpm/azure-linux/tensorflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-31197.json"