CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
40.1%
The RaggedRangOp
function takes an argument limits
that is eventually used to construct a TensorShape
as an int64
. If limits
is a very large float, it can overflow when converted to an int64
. This triggers an InvalidArgument
but also throws an abort signal that crashes the program.
import tensorflow as tf
tf.raw_ops.RaggedRange(starts=[1.1,0.1],limits=[10.0,1e20],deltas=[1,1])
We have patched the issue in GitHub commit 37cefa91bee4eace55715eeef43720b958a01192.
The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
This vulnerability has been reported by Jingyi Shi.
Vendor | Product | Version | CPE |
---|---|---|---|
tensorflow | gpu | * | cpe:2.3:a:tensorflow:gpu:*:*:*:*:*:*:*:* |
tensorflow | cpu | * | cpe:2.3:a:tensorflow:cpu:*:*:*:*:*:*:*:* |
tensorflow | tensorflow | * | cpe:2.3:a:tensorflow:tensorflow:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-x989-q2pq-4q5x
github.com/tensorflow/tensorflow/blob/0b6b491d21d6a4eb5fbab1cca565bc1e94ca9543/tensorflow/core/kernels/ragged_range_op.cc#L74-L88
github.com/tensorflow/tensorflow/commit/37cefa91bee4eace55715eeef43720b958a01192
github.com/tensorflow/tensorflow/releases/tag/v2.10.0
github.com/tensorflow/tensorflow/security/advisories/GHSA-x989-q2pq-4q5x
nvd.nist.gov/vuln/detail/CVE-2022-35940