Lucene search

[email protected]NVD:CVE-2022-21730

HistoryFeb 03, 2022 - 11:15 a.m.

CVE-2022-21730

2022-02-0311:15:08

CWE-125

[email protected]

web.nvd.nist.gov

tensorflow

machine learning

fractionalavgpoolgrad

vulnerability

cve-2022-21730

fix

cherrypick

tensorflow 2.8.0

tensorflow 2.7.1

tensorflow 2.6.3

tensorflow 2.5.3

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:N/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS

0.003

Percentile

68.9%

JSON

Tensorflow is an Open Source Machine Learning Framework. The implementation of FractionalAvgPoolGrad does not consider cases where the input tensors are invalid allowing an attacker to read from outside of bounds of heap. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Affected configurations

Nvd

Node

googletensorflowRange≤2.5.2

googletensorflowRange2.6.0–2.6.2

googletensorflowMatch2.7.0

VendorProductVersionCPE
googletensorflow*cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
googletensorflow2.7.0cpe:2.3:a:google:tensorflow:2.7.0:*:*:*:*:*:*:*