BIT-tensorflow-2022-29207

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/tensorflow/BIT-tensorflow-2022-29207.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-tensorflow-2022-29207
Aliases
Published
2024-03-06T11:14:21.385Z
Modified
2025-05-20T10:02:07.006Z
Summary
Undefined behavior when users supply invalid resource handles in TensorFlow
Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, multiple TensorFlow operations misbehave in eager mode when the resource handle provided to them is invalid. In graph mode, it would have been impossible to perform these API calls, but migration to TF 2.x eager mode opened up this vulnerability. If the resource handle is empty, then a reference is bound to a null pointer inside TensorFlow codebase (various codepaths). This is undefined behavior. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Database specific
{
    "cpes": [
        "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}
References

Affected packages

Bitnami / tensorflow

Package

Name
tensorflow
Purl
pkg:bitnami/tensorflow

Severity

  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6.4
Introduced
2.7.0
Fixed
2.7.2
Introduced
2.8.0
Fixed
2.8.1