animl (>=1.1.2 <=1.1.4), audio-classification-models (=1.0.1) +7 more potentially affected by CVE-2022-23595 via tensorflow-gpu (>=2.6.0 <=2.6.2)

tensorflow-gpu PYPI version =2.6.0, =1.1.2, =0.1.5, =0.1.0, =0.9.0, =1.0.5, =1.0.6 Source cves: CVE-2022-23595 Source advisory: OSV:GHSA-FPCP-9H7M-FFPX...

alwakeupword (=1.0.0), armadillin (>=0.0.2 <=0.53.0) +42 more potentially affected by CVE-2022-23595 via tensorflow (>=2.6.0 <=2.6.2)

tensorflow PYPI version =2.6.0, =0.0.2, =1.0.1, =0.0.9, =0.2.0, =4.4.0, =1.1.2, =0.2.0, =0.0.1, =1.0.0, =1.1.2 - imgtovar =0.8.5 and more Source cves: CVE-2022-23595 Source advisory: OSV:GHSA-FPCP-9H7M-FFPX...

GHSA-9X52-887G-FHC2 Out of bounds read in Tensorflow

Impact The TFG dialect of TensorFlow MLIR makes several assumptions about the incoming GraphDef before converting it to the MLIR-based dialect. If an attacker changes the SavedModel format on disk to invalidate these assumptions and the GraphDef is then converted to MLIR-based IR then they can...

Out of bounds read in Tensorflow

Impact The TFG dialect of TensorFlow MLIR makes several assumptions about the incoming GraphDef before converting it to the MLIR-based dialect. If an attacker changes the SavedModel format on disk to invalidate these assumptions and the GraphDef is then converted to MLIR-based IR then they can...

aadhaar-detection (=0.5.0), accuinsight (>=1.0.84 <=1.0.87) +38 more potentially affected by CVE-2022-23594 via tensorflow (>=2.7.0 <=2.7.0rc1)

tensorflow PYPI version =2.7.0, =1.0.84, =3.0.22, =0.1.11, =0.1.11, =0.1.11, =0.1.0, =0.0.1, =0.1.5.dev202303131412, =0.1.0, =0.1.1 and more Source cves: CVE-2022-23594 Source advisory: OSV:GHSA-9X52-887G-FHC2...

rpnet (>=0.0.1 <=0.1.0), rpnet-dev (>=0.0.5 <=0.0.12) +4 more potentially affected by CVE-2022-23594 via tensorflow-gpu (=2.7.0)

tensorflow-gpu PYPI version =2.7.0 is affected by a known vulnerability. The following packages have a transitive dependency on tensorflow-gpu and may be impacted: - rpnet =0.0.1, =0.0.5, =1.0.5, =1.1.1 - tpu-tf2 =1.0.0 - troj =1.0.0 Source cves: CVE-2022-23594 Source advisory:...

lsmmdma (>=0.0.4 <=0.1.7), tpu-tf2 (=1.0.0) potentially affected by CVE-2022-23594 via tensorflow-cpu (=2.7.0)

tensorflow-cpu PYPI version =2.7.0 is affected by a known vulnerability. The following packages have a transitive dependency on tensorflow-cpu and may be impacted: - lsmmdma =0.0.4, =0.1.7 - tpu-tf2 =1.0.0 Source cves: CVE-2022-23594 Source advisory: OSV:GHSA-9X52-887G-FHC2...

Segfault in `simplifyBroadcast` in Tensorflow

Impact The simplifyBroadcast function in the MLIR-TFRT infrastructure in TensorFlow is vulnerable to a segfault hence, denial of service, if called with scalar shapes. cc sizet maxRank = 0; for auto shape : llvm::enumerateshapes auto foundshape = analysis.dimensionsForShapeTensorshape.value; if...

GHSA-GWCX-JRX4-92W2 Segfault in `simplifyBroadcast` in Tensorflow

Impact The simplifyBroadcast function in the MLIR-TFRT infrastructure in TensorFlow is vulnerable to a segfault hence, denial of service, if called with scalar shapes. cc sizet maxRank = 0; for auto shape : llvm::enumerateshapes auto foundshape = analysis.dimensionsForShapeTensorshape.value; if...

Out of bounds read in Tensorflow

Impact TensorFlow's type inference can cause a heap OOB read as the bounds checking is done in a DCHECK which is a no-op during production: cc if nodet.typeid != TFTUNSET int ix = inputidxi; DCHECKix nodet.argssize "input " i " should have an output " ix " but instead only has " nodet.argssize "...

GHSA-VQ36-27G6-P492 Out of bounds read in Tensorflow

Impact TensorFlow's type inference can cause a heap OOB read as the bounds checking is done in a DCHECK which is a no-op during production: cc if nodet.typeid != TFTUNSET int ix = inputidxi; DCHECKix nodet.argssize "input " i " should have an output " ix " but instead only has " nodet.argssize "...

animl (>=1.1.2 <=1.1.4), audio-classification-models (=1.0.1) +7 more potentially affected by CVE-2022-23591 via tensorflow-gpu (>=2.6.0 <=2.6.2)

tensorflow-gpu PYPI version =2.6.0, =1.1.2, =0.1.5, =0.1.0, =0.9.0, =1.0.5, =1.0.6 Source cves: CVE-2022-23591 Source advisory: OSV:GHSA-247X-2F9F-5WP7...

125softnlp (=0.0.1), a2 (>=0.10.11 <=0.10.13) +4847 more potentially affected by CVE-2022-23591 via tensorflow (>=1.0.1 <=2.5.2)

tensorflow PYPI version =1.0.1, =0.10.11, =0.1.0, =0.0.0, =0.6.0, =0.1.6, =1.0.0, =2.0.0, =1.0.0, =0.0.1, =0.0.7 and more Source cves: CVE-2022-23591 Source advisory: OSV:GHSA-247X-2F9F-5WP7...

Stack overflow in TensorFlow

Impact The GraphDef format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a GraphDef containing a fragment such as the following can be consumed when loading a SavedModel: library function signature name: "SomeOp" description:...

a62-emotion (>=0.10.12 <=0.11.4), aiproteomics (=0.2.1) +97 more potentially affected by CVE-2022-23591 via tensorflow-cpu (>=1.15.0 <=2.4.4)

tensorflow-cpu PYPI version =1.15.0, =0.10.12, =2.0.0, =2.0.0, =1.0.0, =0.0.5, =0.3.0, =0.0.1, =0.8.1, =0.1.1, =1.3.0, =0.1.0.dev1, =0.0.1, =0.3.3 and more Source cves: CVE-2022-23591 Source advisory: OSV:GHSA-247X-2F9F-5WP7...

arekit (>=0.21.0 <=0.22.1), arenets (>=0.23.0 <=0.23.1) +170 more potentially affected by CVE-2022-23591 via tensorflow-gpu (>=1.10.1 <=2.5.1)

tensorflow-gpu PYPI version =1.10.1, =0.21.0, =0.23.0, =0.9.2, =0.1.0, =0.0.1, =0.0.9, =0.1.0, =0.0.1, =1.0.0, =1.0.3 - brainhance =0.0.1 - cctv-analysis =0.0.2 and more Source cves: CVE-2022-23591 Source advisory: OSV:GHSA-247X-2F9F-5WP7...

lsmmdma (>=0.0.4 <=0.1.7), tpu-tf2 (=1.0.0) potentially affected by CVE-2022-23591 via tensorflow-cpu (=2.7.0)

tensorflow-cpu PYPI version =2.7.0 is affected by a known vulnerability. The following packages have a transitive dependency on tensorflow-cpu and may be impacted: - lsmmdma =0.0.4, =0.1.7 - tpu-tf2 =1.0.0 Source cves: CVE-2022-23591 Source advisory: OSV:GHSA-247X-2F9F-5WP7...

aadhaar-detection (=0.5.0), accuinsight (>=1.0.84 <=1.0.87) +38 more potentially affected by CVE-2022-23591 via tensorflow (>=2.7.0 <=2.7.0rc1)

tensorflow PYPI version =2.7.0, =1.0.84, =3.0.22, =0.1.11, =0.1.11, =0.1.11, =0.1.0, =0.0.1, =0.1.5.dev202303131412, =0.1.0, =0.1.1 and more Source cves: CVE-2022-23591 Source advisory: OSV:GHSA-247X-2F9F-5WP7...

rpnet (>=0.0.1 <=0.1.0), rpnet-dev (>=0.0.5 <=0.0.12) +4 more potentially affected by CVE-2022-23591 via tensorflow-gpu (=2.7.0)

tensorflow-gpu PYPI version =2.7.0 is affected by a known vulnerability. The following packages have a transitive dependency on tensorflow-gpu and may be impacted: - rpnet =0.0.1, =0.0.5, =1.0.5, =1.1.1 - tpu-tf2 =1.0.0 - troj =1.0.0 Source cves: CVE-2022-23591 Source advisory:...

GHSA-247X-2F9F-5WP7 Stack overflow in TensorFlow

Impact The GraphDef format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a GraphDef containing a fragment such as the following can be consumed when loading a SavedModel: library function signature name: "SomeOp" description:...