CVE-2022-41891: Improper Input Validation
TensorFlow is an open source platform for machine learning. If tf.raw_ops.TensorListConcat
is given element_shape=[]
, it results segmentation fault which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit fc33f3dc4c14051a83eec6535b608abe1d355fde. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
References
- github.com/advisories/GHSA-66vq-54fq-6jvv
- github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/list_kernels.h
- github.com/tensorflow/tensorflow/commit/fc33f3dc4c14051a83eec6535b608abe1d355fde
- github.com/tensorflow/tensorflow/security/advisories/GHSA-66vq-54fq-6jvv
- nvd.nist.gov/vuln/detail/CVE-2022-41891
Detect and mitigate CVE-2022-41891 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →