Lucene search
K

7035 matches found

PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Division by zero in Tensorflow

Impact The implementation of FractionalMaxPool can be made to crash a TensorFlow process via a division by 0:pythonimport tensorflow as tfimport numpy as nptf.rawops.FractionalMaxPool value=tf.constantvalue=1, 4, 2, 3, dtype=tf.int64, poolingratio=1.0, 1.44, 1.73, 1.0, pseudorandom=False,...

7.1CVSS6.6AI score0.00783EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Improper Restriction of XML External Entity Reference in trytond and proteus

An XXE issue was discovered in Tryton Application Platform Server 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform Command Line Client proteus 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user...

6.5CVSS6.7AI score0.01374EPSS
Exploits1References10Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข2 views

Null-dereference in Tensorflow

ImpactThe implementation of GetInitOp is vulnerable to a crash caused by dereferencing a null pointer:ccconst auto& initopsigit = metagraphdef.signaturedef.findkSavedModelInitOpSignatureKey;if initopsigit != sigdefmap.end initopname = initopsigit-second.outputs .findkSavedModelInitOpSignatureKey...

7.1CVSS6.7AI score0.00783EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Memory leak in Tensorflow

ImpactIf a graph node is invalid, TensorFlow can leak memory in the implementation of ImmutableExecutorState::Initialize:ccStatus s = params.createkerneln-properties, &item-;kernel;if !s.ok item-kernel = nullptr; s = AttachDefs, n; return s; Here, we set item-kernel to nullptr but it is a simple...

5.3CVSS6.2AI score0.00716EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Integer overflow in Tensorflow

ImpactThe implementation of OpLevelCostEstimator::CalculateTensorSize is vulnerable to an integer overflow if an attacker can create an operation which would involve a tensor with large enough number of elements:ccint64t OpLevelCostEstimator::CalculateTensorSize const OpInfo::TensorProperties&...

7.1CVSS6.7AI score0.00783EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข2 views

`CHECK`-failures in binary ops in Tensorflow

ImpactA malicious user can cause a denial of service by altering a SavedModel such that any binary op would trigger CHECK failures. This occurs when the protobuf part corresponding to the tensor arguments is modified such that the dtype no longer matches the dtype expected by the op. In that case...

6.5CVSS6.7AI score0.00872EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Type confusion leading to segfault in Tensorflow

Impact The implementation of shape inference for ConcatV2 can be used to trigger a denial of service attack via a segfault caused by a type confusion:pythonimport tensorflow as [email protected] test: y = tf.rawops.ConcatV2 values=1,2,3,4,5,6, axis = 0xb500005b return ytestThe axis argument is...

7.1CVSS6.6AI score0.00845EPSS
Exploits1References10Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Use after free in `DecodePng` kernel

ImpactA malicious user can cause a use after free behavior when decoding PNG images:ccif / ... error conditions ... / png::CommonFreeDecode; OPREQUIREScontext, false, errors::InvalidArgument"PNG size too large for int: ", decode.width, " by ", decode.height; After png::CommonFreeDecode gets calle...

7.6CVSS6.7AI score0.00725EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Memory exhaustion in Tensorflow

Impact The implementation of StringNGrams can be used to trigger a denial of service attack by causing an OOM condition after an integer overflow:pythonimport tensorflow as tftf.rawops.StringNGrams data='123456', datasplits=0,1, separator='a'15, ngramwidths=, leftpad='', rightpad='', padwidth=-5,...

6.5CVSS6.6AI score0.00821EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

`CHECK`-failures in Tensorflow

Impact The implementation of MapStage is vulnerable a CHECK-fail if the key tensor is not a scalar:pythonimport tensorflow as tfimport numpy as nptf.rawops.MapStage key = tf.constantvalue=4, shape= 1,2, dtype=tf.int64, indices = np.array6, values = np.array-60, dtypes = tf.int64, capacity=0,...

7.1CVSS6.6AI score0.00783EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Division by zero in Tensorflow

Impact The estimator for the cost of some convolution operations can be made to execute a division by 0:pythonimport tensorflow as [email protected] test: y=tf.rawops.AvgPoolGrad originputshape=1,1,1,1, grad=1.0,1.0,1.0,2.0,2.0,2.0,3.0,3.0,3.0, ksize=1,1,1,1, strides=1,1,1,0, padding='VALID',...

6.8CVSS6.7AI score0.00783EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Memory exhaustion in Tensorflow

Impact The implementation of ThreadPoolHandle can be used to trigger a denial of service attack by allocating too much memory:pythonimport tensorflow as tfy = tf.rawops.ThreadPoolHandlenumthreads=0x60000000,displayname='tf'This is because the numthreads argument is only checked to not be negative...

6.5CVSS6.6AI score0.00765EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Overflow and uncaught divide by zero in Tensorflow

Impact The implementation of UnravelIndex is vulnerable to a division by zero caused by an integer overflow bug:pythonimport tensorflow as tftf.rawops.UnravelIndexindices=-0x100000,dims=0x100000,0x100000 PatchesWe have patched the issue in GitHub commit 58b34c6c8250983948b5a781b426f6aa01fd47af. T...

7.1CVSS6.7AI score0.00783EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Out of bounds write in Tensorflow

ImpactTensorFlow is vulnerable to a heap OOB write in Grappler:ccStatus SetUnknownShapeconst NodeDef node, int outputport shapeinference::ShapeHandle shape = GetUnknownOutputShapenode, outputport; InferenceContext ctx = GetContextnode; if ctx == nullptr return errors::InvalidArgument"Missing...

8.8CVSS7AI score0.00924EPSS
Exploits1References10Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Insecure temporary file in Tensorflow

ImpactIn multiple places, TensorFlow uses tempfile.mktemp to create temporary files. While this is acceptable in testing, in utilities and libraries it is dangerous as a different process can create the file between the check for the filename in mktemp and the actual creation of the file by a...

8.4CVSS6.7AI score0.0011EPSS
Exploits0References7Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Reachable Assertion in Tensorflow

ImpactWhen decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow processes. PatchesWe have patched the issue in GitHub...

7.1CVSS6.7AI score0.00469EPSS
Exploits0References8Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข2 views

Division by zero in TFLite

Impact An attacker can craft a TFLite model that would trigger a division by zero in the implementation of depthwise convolutions.The parameters of the convolution can be user controlled and are also used within a division operation to determine the size of the padding that needs to be added befo...

7.1CVSS6.6AI score0.00821EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข2 views

Read and Write outside of bounds in TensorFlow

ImpactAn attacker can craft a TFLite model that would allow limited reads and writes outside of arrays in TFLite. This exploits missing validation in the conversion from sparse tensors to dense tensors. PatchesWe have patched the issue in GitHub commit 6364463d6f5b6254cac3d6aedf999b6a96225038.The...

8.8CVSS7AI score0.00837EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Out of bounds write in TFLite

Impact An attacker can craft a TFLite model that would cause a write outside of bounds of an array in TFLite. In fact, the attacker can override the linked list used by the memory allocator. This can be leveraged for an arbitrary write primitive under certain conditions. PatchesWe have patched th...

8.8CVSS7AI score0.0054EPSS
Exploits0References8Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

`CHECK`-failures in Tensorflow

ImpactAn attacker can trigger denial of service via assertion failure by altering a SavedModel on disk such that AttrDefs of some operation are duplicated. PatchesWe have patched the issue in GitHub commit c2b31ff2d3151acb230edc3f5b1832d2c713a9e0.The fix will be included in TensorFlow 2.8.0. We...

7.1CVSS6.7AI score0.00469EPSS
Exploits0References8Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Division by zero in TFLite

Impact An attacker can craft a TFLite model that would trigger a division by zero in BiasAndClamp implementation:ccinline void BiasAndClampfloat clampmin, float clampmax, int biassize, const float biasdata, int arraysize, float arraydata // ... TFLITEDCHECKEQarraysize % biassize, 0; // ... There ...

7.1CVSS6.6AI score0.00757EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Integer overflow in TFLite

Impact An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations:cc int embeddingsize = 1; int lookupsize = 1; for int i = 0; i data.i32i; lookupsize = dim; outputshape-datak = dim; for int i = 1; i datak = dim; Both embeddingsize and lookupsize are...

8.8CVSS7AI score0.01173EPSS
Exploits1References11Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Heap overflow in Tensorflow

Impact The implementation of SparseCountSparseOutput is vulnerable to a heap overflow:pythonimport tensorflow as tfimport numpy as nptf.rawops.SparseCountSparseOutput indices=-1,-1, values=2, denseshape=1, 1, weights=1, binaryoutput=True, minlength=-1, maxlength=-1, name=None PatchesWe have patch...

8.8CVSS7AI score0.00788EPSS
Exploits1References10Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Integer overflow in Tensorflow

ImpactThe implementation of Range suffers from integer overflows. These can trigger undefined behavior or, in some scenarios, extremely large allocations. PatchesWe have patched the issue in GitHub commit f0147751fd5d2ff23251149ebad9af9f03010732 merging 51733.The fix will be included in TensorFlo...

8.8CVSS7AI score0.00578EPSS
Exploits0References10Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข2 views

Integer overflow in TFLite array creation

Impact An attacker can craft a TFLite model that would cause an integer overflow in TfLiteIntArrayCreate:ccTfLiteIntArray TfLiteIntArrayCreateint size int allocsize = TfLiteIntArrayGetSizeInBytessize; // ... TfLiteIntArray ret = TfLiteIntArraymallocallocsize; // ... The TfLiteIntArrayGetSizeInByt...

8.8CVSS7AI score0.00811EPSS
Exploits1References10Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Integer overflows in Tensorflow

Impact The implementation of AddManySparseToTensorsMap is vulnerable to an integer overflow which results in a CHECK-fail when building new TensorShape objects so, an assert failure based denial of service:pythonimport tensorflow as tfimport numpy as nptf.rawops.AddManySparseToTensorsMap...

7.1CVSS6.7AI score0.008EPSS
Exploits1References10Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Null-dereference in Tensorflow

ImpactWhen decoding a tensor from protobuf, TensorFlow might do a null-dereference if attributes of some mutable arguments to some operations are missing from the proto. This is guarded by a DCHECK:cc const auto attr = attrs.Findarg-s; DCHECKattr != nullptr; if attr-valuecase == AttrValue::kList ...

7.1CVSS6.7AI score0.00992EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Assertion failure based denial of service in Tensorflow

Impact The implementation of Bincount operations allows malicious users to cause denial of service by passing in arguments which would trigger a CHECK-fail:pythonimport tensorflow as tftf.rawops.DenseBincount input=0, 1, 2, size=1, weights=3,2,1, binaryoutput=FalseThere are several conditions tha...

7.1CVSS6.6AI score0.00783EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข2 views

Null pointer dereference in TensorFlow

Impact The implementation of QuantizedMaxPool has an undefined behavior where user controlled inputs can trigger a reference binding to null pointer.pythonimport tensorflow as tftf.rawops.QuantizedMaxPool input = tf.constant4, dtype=tf.quint8, mininput = , maxinput = 1, ksize = 1, 1, 1, 1, stride...

7.1CVSS6.6AI score0.00783EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Undefined behavior in `SparseTensorSliceDataset`

Impact The implementation of SparseTensorSliceDataset has an undefined behavior: under certain condition it can be made to dereference a nullptr value:pythonimport tensorflow as tfimport numpy as nptf.rawops.SparseTensorSliceDataset indices=, values=, denseshape=1,1The 3 input arguments represent...

7.6CVSS6.6AI score0.00746EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Integer overflows in Tensorflow

Impact The implementations of SparseCwise ops are vulnerable to integer overflows. These can be used to trigger large allocations so, OOM based denial of service or CHECK-fails when building new TensorShape objects so, assert failures based denial of service:pythonimport tensorflow as tfimport...

7.1CVSS6.6AI score0.01097EPSS
Exploits1References11Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข5 views

Null pointer dereference in TensorFlow

ImpactWhen building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference:cc string allowedgpus = flr-configproto-gpuoptions.visibledevicelist; In the default scenario, all devices are allowed, so flr-configproto is nullptr. PatchesWe have patched...

6.5CVSS6.6AI score0.00774EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

`CHECK`-fails when building invalid tensor shapes in Tensorflow

Impact Multiple operations in TensorFlow can be used to trigger a denial of service via CHECK-fails i.e., assertion failures. This is similar to TFSA-2021-198 CVE-2021-41197 and has similar fixes. PatchesWe have patched the reported issues in multiple GitHub commits. It is possible that other...

7.1CVSS6.6AI score0.00458EPSS
Exploits0References8Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Integer overflow leading to crash in Tensorflow

Impact The implementation of SparseCountSparseOutput can be made to crash a TensorFlow process by an integer overflow whose result is then used in a memory allocation:pythonimport tensorflow as tfimport numpy as np tf.rawops.SparseCountSparseOutput indices=1,1, values=2, denseshape=2 31, 2 32,...

7.1CVSS6.7AI score0.00783EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Crash due to erroneous `StatusOr` in TensorFlow

ImpactA GraphDef from a TensorFlow SavedModel can be maliciously altered to cause a TensorFlow process to crash due to encountering a StatusOr value that is an error and forcibly extracting the value from it:cc if opregdata-typector != nullptr VLOG3 opdef; const FullTypeDef ctortypedef =...

7.5CVSS7AI score0.00973EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Null pointer dereference in Grappler's `IsConstant`

ImpactUnder certain scenarios, Grappler component of TensorFlow can trigger a null pointer dereference. There are 2 places where this can occur, for the same malicious alteration of a SavedModel file fixing the first one would trigger the same dereference in the second place:First, during constan...

6.5CVSS6.7AI score0.01097EPSS
Exploits1References11Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข2 views

Crash when type cannot be specialized in Tensorflow

ImpactUnder certain scenarios, TensorFlow can fail to specialize a type during shape inference:ccvoid InferenceContext::PreInputInit const OpDef& opdef, const std::vector& inputtensors, const std::vector& inputtensorsasshapes const auto ret = fulltype::SpecializeTypeattrs, opdef;...

7.1CVSS6.7AI score0.00992EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Reachable Assertion in Tensorflow

ImpactWhen decoding a tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments, if the tensors have an invalid dtype and 0 elements or an invalid shape. This allows attackers to cause denial of services in TensorFlow...

7.1CVSS6.7AI score0.00469EPSS
Exploits0References8Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Out of bounds read in Tensorflow

ImpactTensorFlow's type inference can cause a heap OOB read as the bounds checking is done in a DCHECK which is a no-op during production:ccif nodet.typeid != TFTUNSET int ix = inputidxi; DCHECKix nodet.argssize "input " i " should have an output " ix " but instead only has " nodet.argssize "...

8.1CVSS7AI score0.00858EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข2 views

Segfault in `simplifyBroadcast` in Tensorflow

ImpactThe simplifyBroadcast function in the MLIR-TFRT infrastructure in TensorFlow is vulnerable to a segfault hence, denial of service, if called with scalar shapes.cc sizet maxRank = 0; for auto shape : llvm::enumerateshapes auto foundshape = analysis.dimensionsForShapeTensorshape.value; if...

8.2CVSS7AI score0.0087EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Out of bounds read in Tensorflow

ImpactThe TFG dialect of TensorFlow MLIR makes several assumptions about the incoming GraphDef before converting it to the MLIR-based dialect.If an attacker changes the SavedModel format on disk to invalidate these assumptions and the GraphDef is then converted to MLIR-based IR then they can caus...

8.8CVSS6.2AI score0.00142EPSS
Exploits0References6Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Out of bounds read in Tensorflow

ImpactThe TFG dialect of TensorFlow MLIR makes several assumptions about the incoming GraphDef before converting it to the MLIR-based dialect.If an attacker changes the SavedModel format on disk to invalidate these assumptions and the GraphDef is then converted to MLIR-based IR then they can caus...

8.8CVSS6.2AI score0.00142EPSS
Exploits0References6Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Stack overflow in TensorFlow

ImpactThe GraphDef format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a GraphDef containing a fragment such as the following can be consumed when loading a SavedModel: library function signature name: "SomeOp" description:...

7.5CVSS7.1AI score0.00789EPSS
Exploits0References8Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Out of bounds read and write in Tensorflow

ImpactThere is a typo in TensorFlow's SpecializeType which results in heap OOB read/write:ccfor int i = 0; i argssize; j++ auto arg = t-mutableargsi; // ... Due to a typo, arg is initialized to the ith mutable argument in a loop where the loop index is j. Hence it is possible to assign to arg fro...

8.8CVSS7AI score0.00837EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Integer overflow in TensorFlow

ImpactUnder certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior. PatchesWe have patched the issue in GitHub commit...

9.8CVSS7.1AI score0.00888EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Out of bounds read in Tensorflow

Impact The implementation of FractionalAvgPoolGrad does not consider cases where the input tensors are invalid allowing an attacker to read from outside of bounds of heap:pythonimport tensorflow as [email protected] test: y = tf.rawops.FractionalAvgPoolGrad originputtensorshape=2,2,2,2,...

8.1CVSS6.9AI score0.00815EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Out of bounds read in Tensorflow

Impact The implementation of shape inference for ReverseSequence does not fully validate the value of batchdim and can result in a heap OOB read:pythonimport tensorflow as [email protected] test: y = tf.rawops.ReverseSequence input = 'aaa','bbb', seqlengths = 1,1,1, seqdim = -10, batchdim = -10...

8.1CVSS6.9AI score0.01125EPSS
Exploits1References10Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข3 views

Uninitialized variable access in Tensorflow

ImpactThe implementation of AssignOp can result in copying unitialized data to a new tensor. This later results in undefined behavior.The implementation has a check that the left hand side of the assignment is initialized to minimize number of allocations, but does not check that the right hand...

8.8CVSS7AI score0.00755EPSS
Exploits1References9Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Multiple `CHECK`-fails in `function.cc` in TensowFlow

ImpactA malicious user can cause a denial of service by altering a SavedModel such that assertions in function.cc would be falsified and crash the Python interpreter. PatchesWe have patched the issue in GitHub commits dcc21c7bc972b10b6fb95c2fb0f4ab5a59680ec2 and...

6.5CVSS6.7AI score0.008EPSS
Exploits1References10Affected Software1
PyPA
PyPA
โ€ขadded 6 days agoโ€ข4 views

Memory leak in decoding PNG images

ImpactWhen decoding PNG images TensorFlow can produce a memory leak if the image is invalid.After calling png::CommonInitDecode..., , the decode value contains allocated buffers which can only be freed by calling png::CommonFreeDecode. However, several error case in the function implementation...

6.5CVSS6.8AI score0.00992EPSS
Exploits1References9Affected Software1
Total number of security vulnerabilities7035