CVE-2022-23587: Integer overflow in TensorFlow
(updated )
Under certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior.
References
- github.com/advisories/GHSA-8jj7-5vxc-pg2q
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-96.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-151.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/grappler/costs/op_level_cost_estimator.cc
- github.com/tensorflow/tensorflow/commit/0aaaae6eca5a7175a193696383f582f53adab23f
- github.com/tensorflow/tensorflow/security/advisories/GHSA-8jj7-5vxc-pg2q
- nvd.nist.gov/vuln/detail/CVE-2022-23587
Detect and mitigate CVE-2022-23587 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →