PYSEC-2022-106

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/tensorflow-gpu/PYSEC-2022-106.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2022-106

Aliases

Published

2022-02-03T11:15:00Z

Modified

2023-12-06T01:01:55.837003Z

Summary

[none]

Details

Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for Dequantize is vulnerable to an integer overflow weakness. The axis argument can be -1 (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not checked, and, since the code computes axis + 1, an attacker can trigger an integer overflow. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

References

Affected packages

PyPI / tensorflow-gpu

Package

Name: tensorflow-gpu; View open source insights on deps.dev
Purl: pkg:pypi/tensorflow-gpu

Affected ranges

Type: GIT
Repo: https://github.com/tensorflow/tensorflow
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b64638ec5ccaa77b7c1eb90958e3d85ce381f91b

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.5.3

Introduced

2.6.0

Fixed

2.6.3

Affected versions

0.*

0.12.0

0.12.1

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.2.1

1.3.0

1.4.0

1.4.1

1.5.0

1.5.1

1.6.0

1.7.0

1.7.1

1.8.0

1.9.0

1.10.0

1.10.1

1.11.0

1.12.0

1.12.2

1.12.3

1.13.1

1.13.2

1.14.0

1.15.0

1.15.2

1.15.3

1.15.4

1.15.5

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0

2.2.1

2.2.2

2.2.3

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2