GHSA-HJX6-F647-MVF9 Invenio-Communities has a Cross-Site Scripting (XSS) vulnerability in React components

Impact We have identified a Cross-Site Scripting XSS vulnerability within certain React components related to community members in the Invenio-Communities module. This vulnerability enables a user to inject a script tag into the Affiliations field during the account registration process. The...

SUSE CVE-2021-29570

TensorFlow is an end-to-end open source platform for machine learning. The implementation of tf.rawops.MaxPoolGradWithArgmax can cause reads outside of bounds of heap allocated data if attacker supplies specially crafted inputs. The...

SUSE CVE-2021-29615

TensorFlow is an end-to-end open source platform for machine learning. The implementation of ParseAttrValuehttps://github.com/tensorflow/tensorflow/blob/c22d88d6ff33031aa113e48aa3fc9aa74ed79595/tensorflow/core/framework/attrvalueutil.ccL397-L453 can be tricked into stack overflow due to recursion...

SUSE CVE-2021-37648

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the code for tf.rawops.SaveV2 does not properly validate the inputs and an attacker can trigger a null pointer dereference. The implementation uses ValidateInputs to check that the input arguments are vali...

CVE-2022-35935

TensorFlow is an open source platform for machine learning. The implementation of SobolSampleOp is vulnerable to a denial of service via CHECK-failure assertion failure caused by assuming input0, input1, and input2 to be scalar. This issue has been patched in GitHub commit...

GHSA-FR77-RRX3-CP7G Heap OOB read in `tf.ragged.cross`

Impact The shape inference code for tf.ragged.cross can trigger a read outside of bounds of heap allocated array: python import tensorflow as tf @tf.function def test: y = tf.rawops.RaggedCrossraggedvalues=, raggedrowsplits=, sparseindices=5, sparsevalues=, sparseshape=5, denseinputs='a',...

PYSEC-2021-834

TensorFlow is an open source platform for machine learning. In affected versions the ImmutableConst operation in TensorFlow can be tricked into reading arbitrary memory contents. This is because the tstring TensorFlow string class has a special case for memory mapped strings but the operation...

PYSEC-2021-390

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow allows tensor to have a large number of dimensions and each dimension can be as large as desired. However, the total number of elements in a tensor must fit within an int64t. If an overflow occurs,...

GHSA-F5CX-5WR3-5QRC Reference binding to nullptr in boosted trees

Impact An attacker can generate undefined behavior via a reference binding to nullptr in BoostedTreesCalculateBestGainsPerFeature: python import tensorflow as tf tf.rawops.BoostedTreesCalculateBestGainsPerFeature nodeidrange=, statssummarylist=1,2,3, l1=1.0, l2=1.0, treecomplexity =1.0,...

PYSEC-2021-297

TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference implementation i...

PYSEC-2021-713

TensorFlow is an end-to-end open source platform for machine learning. The Prepare step of the SpaceToDepth TFLite operator does not check for 0 before divisionhttps://github.com/tensorflow/tensorflow/blob/5f7975d09eac0f10ed8a17dbb6f5964977725adc/tensorflow/lite/kernels/spacetodepth.ccL63-L67. An...

PYSEC-2021-672

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger an integer division by zero undefined behavior in tf.rawops.QuantizedBiasAdd. This is because the implementation of the Eigen...

PYSEC-2021-639

TensorFlow is an end-to-end open source platform for machine learning. Calling TF operations with tensors of non-numeric types when the operations expect numeric tensors result in null pointer dereferences. The conversion from Python array to C++...

PYSEC-2021-491

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service by exploiting a CHECK-failure coming from the implementation of tf.rawops.RFFT. Eigen code operating on an empty matrix can trigger on an assertion and will cause program termination...

PYSEC-2021-696

TensorFlow is an end-to-end open source platform for machine learning. The implementation of tf.rawops.MaxPoolGradWithArgmax can cause reads outside of bounds of heap allocated data if attacker supplies specially crafted inputs. The...

PYSEC-2021-682

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in tf.rawops.Reverse. This is because the...