Lucene search
GoogleOSV:GHSA-CQVQ-FVHR-V6HCHistoryNov 21, 2022 - 11:51 p.m.
`CHECK` failure in `SobolSample` via missing validation
2022-11-2123:51:53
Google
osv.dev
9
0.001 Low
EPSS
Percentile
34.7%
Impact
Another instance of CVE-2022-35935, where SobolSample is vulnerable to a denial of service via assumed scalar inputs, was found and fixed.
import tensorflow as tf
tf.raw_ops.SobolSample(dim=tf.constant([1,0]), num_results=tf.constant([1]), skip=tf.constant([1]))
Patches
We have patched the issue in GitHub commits c65c67f88ad770662e8f191269a907bf2b94b1bf and 02400ea266bd811fc016a848445de1bbff3a23a0
The fix will be included in TensorFlow 2.11. We will also cherrypick both commits on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. TensorFlow 2.7.4 will have the first commit cherrypicked.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by:
- Kang Hong Jin from Singapore Management University
- Neophytos Christou, Secure Systems Labs, Brown University
- 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology
- Pattarakrit Rattankul
Related
cnvd
cnvd
Google TensorFlow has an unspecified vulnerability (CNVD-2023-15773)
2022-11-25 00:00:00
osv
osv
CVE-2022-35935
2022-09-16 20:15:10
BIT-tensorflow-2022-35935
2024-03-06 11:14:10
cve
cve
CVE-2022-35935
2022-09-16 20:15:00
cvelist
cvelist
prion
prion
Stack overflow
2022-09-16 20:15:00
github
github
`CHECK` failure in `SobolSample` via missing validation
2022-11-21 23:51:53
nessus
nessus
freebsd
freebsd
py-tensorflow -- denial of service vulnerability
2022-11-21 00:00:00
