Lucene search

[email protected]NVD:CVE-2022-21731

HistoryFeb 03, 2022 - 12:15 p.m.

CVE-2022-21731

2022-02-0312:15:07

CWE-843

[email protected]

web.nvd.nist.gov

tensorflow

concatv2

denial of service

shape inference

cve-2022-21731

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

54.5%

JSON

Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for ConcatV2 can be used to trigger a denial of service attack via a segfault caused by a type confusion. The axis argument is translated into concat_dim in the ConcatShapeHelper helper function. Then, a value for min_rank is computed based on concat_dim. This is then used to validate that the values tensor has at least the required rank. However, WithRankAtLeast receives the lower bound as a 64-bits value and then compares it against the maximum 32-bits integer value that could be represented. Due to the fact that min_rank is a 32-bits value and the value of axis, the rank argument is a negative value, so the error check is bypassed. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Affected configurations

Nvd

Node

googletensorflowRange≤2.5.2

googletensorflowRange2.6.0–2.6.2

googletensorflowMatch2.7.0

VendorProductVersionCPE
googletensorflow*cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
googletensorflow2.7.0cpe:2.3:a:google:tensorflow:2.7.0:*:*:*:*:*:*:*