CVE-2022-23563: Insecure temporary file in Tensorflow
(updated )
In multiple places, TensorFlow uses tempfile.mktemp
to create temporary files. While this is acceptable in testing, in utilities and libraries it is dangerous as a different process can create the file between the check for the filename in mktemp
and the actual creation of the file by a subsequent operation (a TOC/TOU type of weakness).
In several instances, TensorFlow was supposed to actually create a temporary directory instead of a file. This logic bug is hidden away by the mktemp
function usage.
References
- github.com/advisories/GHSA-wc4g-r73w-x8mm
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-72.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-127.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/security/advisories/GHSA-wc4g-r73w-x8mm
- nvd.nist.gov/vuln/detail/CVE-2022-23563
Detect and mitigate CVE-2022-23563 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →