BIT-tensorflow-2022-21733
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/tensorflow/BIT-tensorflow-2022-21733.json
- JSON Data
- https://api.osv.dev/v1/vulns/BIT-tensorflow-2022-21733
- Aliases
- Published
- 2024-03-06T11:15:43.248Z
- Modified
- 2024-03-06T11:25:28.861Z
- Summary
- [none]
- Details
-
Tensorflow is an Open Source Machine Learning Framework. The implementation of
StringNGramscan be used to trigger a denial of service attack by causing an out of memory condition after an integer overflow. We are missing a validation onpad_witdhand that result in computing a negative value forngram_widthwhich is later used to allocate parts of the output. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. - References
-
- https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/string_ngrams_op.cc#L29-L161
- https://github.com/tensorflow/tensorflow/commit/f68fdab93fb7f4ddb4eb438c8fe052753c9413e8
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-98j8-c9q4-r38g
Affected packages
Bitnami / tensorflow
Package
- Name
- tensorflow
- Purl
- pkg:bitnami/tensorflow
Severity
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator