CVE-2022-23595: NULL Pointer Dereference
(updated )
Tensorflow is an Open Source Machine Learning Framework. When building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference. In the default scenario, all devices are allowed, so flr->config_proto
is nullptr
. The fix will be included in TensorFlow We will also cherrypick this commit on TensorFlow, TensorFlow, and TensorFlow, as these are also affected and still in supported range.
References
- github.com/tensorflow/tensorflow/blob/274df9b02330b790aa8de1cee164b70f72b9b244/tensorflow/compiler/jit/xla_platform_info.cc
- github.com/tensorflow/tensorflow/commit/e21af685e1828f7ca65038307df5cc06de4479e8
- github.com/tensorflow/tensorflow/security/advisories/GHSA-fpcp-9h7m-ffpx
- nvd.nist.gov/vuln/detail/CVE-2022-23595
Detect and mitigate CVE-2022-23595 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →