BIT-tensorflow-2022-29210
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/tensorflow/BIT-tensorflow-2022-29210.json
- JSON Data
- https://api.osv.dev/v1/vulns/BIT-tensorflow-2022-29210
- Aliases
- Published
- 2024-03-06T11:14:17.673Z
- Modified
- 2025-05-20T10:02:07.006Z
- Summary
- Heap buffer overflow due to incorrect hash function in TensorFlow
- Details
-
TensorFlow is an open source platform for machine learning. In version 2.8.0, the
TensorKeyhash function used total estimatedAllocatedBytes(), which (a) is an estimate per tensor, and (b) is a very poor hash function for constants (e.g.int32_t). It also tried to access individual tensor bytes throughtensor.data()of sizeAllocatedBytes(). This led to ASAN failures because theAllocatedBytes()is an estimate of total bytes allocated by a tensor, including any pointed-to constructs (e.g. strings), and does not refer to contiguous bytes in the.data()buffer. The discoverers could not use this byte vector anyway because types such aststringinclude pointers, whereas they needed to hash the string values themselves. This issue is patched in Tensorflow versions 2.9.0 and 2.8.1. - Database specific
{ "severity": "Medium", "cpes": [ "cpe:2.3:a:google:tensorflow:2.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*" ] }- References
-
- https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/core/framework/tensor_key.h#L53-L64
- https://github.com/tensorflow/tensorflow/commit/1b85a28d395dc91f4d22b5f9e1e9a22e92ccecd6
- https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1
- https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-hc2f-7r5r-r2hg
- https://nvd.nist.gov/vuln/detail/CVE-2022-29210
Affected packages
Bitnami / tensorflow
Package
- Name
- tensorflow
- Purl
- pkg:bitnami/tensorflow
Severity
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator