Incorrect Comparison

Overview Affected versions of this package are vulnerable to Incorrect Comparison. Constructing a tflite model with a paramater filterinputchannel of less than 1 gives a float pointer exception. Remediation Upgrade tensorflow-lite to version 2.12.0 or higher. References - GitHub Commit Credit: Wa...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS. When running with XLA, tf.rawops.Bincount segfaults when given a parameter weights that is neither the same shape as parameter arr nor a length-0 tensor. PoC import tensorflow as tf func = tf.rawops.Bincount...

Buffer Overflow

Overview Affected versions of this package are vulnerable to Buffer Overflow in TAvgPoolGrad. PoC import os os.environ'TFENABLEONEDNNOPTS' = '0' import tensorflow as tf printtf.version with tf.device"CPU": ksize = 1, 40, 128, 1 strides = 1, 128, 128, 30 padding = "SAME" dataformat = "NHWC"...

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow. Attackers can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on...

Integer Overflow to Buffer Overflow

Overview Affected versions of this package are vulnerable to Integer Overflow to Buffer Overflow when 2^31 = numframes height width channels 2^32, for example Full HD screencast of at least 346 frames. PoC import urllib.request dat =...

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound in EditDistance. A fix is included in TensorFlow version 2.12.0 and version 2.11.1. PoC import tensorflow as tf para= 'hypothesisindices': , 'hypothesisvalues': 'tmp/', 'hypothesisshape': , 'truthindices':...

Out-of-Bounds

Overview Affected versions of this package are vulnerable to Out-of-Bounds due to mismatched integer type sizes in ValueMap::Manager::GetValueOrCreatePlaceholder, because there is a bug with the tfg-translate call to InitMlir. Remediation Upgrade tensorflow-lite to version 2.12.0 or higher...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS due to a floating point exception if the stride and window size are not positive for tf.rawops.AvgPoolGrad. PoC import tensorflow as tf import numpy as np @tf.functionjitcompile=True def test: y =...

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference. When ctx-stepcontainter is a null ptr, the Lookup function will be executed with a null pointer. PoC import tensorflow as tf tf.rawops.TensorArrayConcatV2handle='a', 'b', flowin = 0.1, dtype=tf.int32,...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS. When the parameter summarize of tf.rawops.Print is zero, the new method SummarizeArray will reference to a nullptr, leading to a seg fault. PoC import tensorflow as tf tf.rawops.Printinput = tf.constant1, 1, 1,...

Double Free

Overview Affected versions of this package are vulnerable to Double Free. The nnops.fractionalavgpoolv2 and nnops.fractionalmaxpoolv2 functions require the first and fourth elements of their parameter poolingratio to be equal to 1.0, as pooling on batch and channel dimensions is not supported. Po...

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference in QuantizedMatMulWithBiasAndDequantize with MKL enabled. PoC import tensorflow as tf func = tf.rawops.QuantizedMatMulWithBiasAndDequantize para='a': tf.constant138, dtype=tf.quint8, 'b': tf.constant4,...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS due to a floating point exception in AudioSpectrogram. PoC import tensorflow as tf para = 'input': tf.constant14., 24., dtype=tf.float32, 'windowsize': 1, 'stride': 0, 'magnitudesquared': False func =...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read if the parameter indices for DynamicStitch does not match the shape of the parameter data. PoC import tensorflow as tf func = tf.rawops.DynamicStitch para='indices': 0xdeadbeef, 405, 519, 758, 1015, 'data':...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in GRUBlockCellGrad. PoC func = tf.rawops.GRUBlockCellGrad para = 'x': 21.1, 156.2, 83.3, 115.4, 'hprev': array136.5, 136.6, 'wru': array26.7, 0.8, 47.9, 26.1, 26.2, 26.3, 'wc': array 0.4, 31.5, 0.6, 'bru': array0.1,...

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference when SparseSparseMaximum is given invalid sparse tensors as inputs. PoC import tensorflow as tf tf.rawops.SparseSparseMaximum aindices=1, avalues = 0.1 , ashape = 2, bindices=, bvalues =2 , bshape = 2, Remediati...

CVE-2023-25801

TensorFlow is an open source machine learning platform. Prior to versions 2.12.0 and 2.11.1, nnops.fractionalavgpoolv2 and nnops.fractionalmaxpoolv2 require the first and fourth elements of their parameter poolingratio to be equal to 1.0, as pooling on batch and channel dimensions is not supporte...

AZL-35323 CVE-2023-27579 affecting package tensorflow for versions less than 2.11.1-1

TensorFlow is an end-to-end open source platform for machine learning. Constructing a tflite model with a paramater filterinputchannel of less than 1 gives a FPE. This issue has been patched in version 2.12. TensorFlow will also cherrypick the fix commit on TensorFlow 2.11.1...

AZL-31208 CVE-2023-27579 affecting package tensorflow for versions less than 2.11.1-1

TensorFlow is an end-to-end open source platform for machine learning. Constructing a tflite model with a paramater filterinputchannel of less than 1 gives a FPE. This issue has been patched in version 2.12. TensorFlow will also cherrypick the fix commit on TensorFlow 2.11.1...

AZL-31206 CVE-2023-25801 affecting package tensorflow for versions less than 2.11.1-1

TensorFlow is an open source machine learning platform. Prior to versions 2.12.0 and 2.11.1, nnops.fractionalavgpoolv2 and nnops.fractionalmaxpoolv2 require the first and fourth elements of their parameter poolingratio to be equal to 1.0, as pooling on batch and channel dimensions is not supporte...