Vulnerability Description
Tensorflow is an Open Source Machine Learning Framework. A `GraphDef` from a TensorFlow `SavedModel` can be maliciously altered to cause a TensorFlow process to crash due to encountering a `StatusOr` value that is an error and forcibly extracting the value from it. We have patched the issue in multiple GitHub commits and these will be included in TensorFlow 2.8.0 and TensorFlow 2.7.1, as both are affected.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tensorflow | < 2.7.1 |
Related Weaknesses (CWE)
References
- https://github.com/tensorflow/tensorflow/blob/274df9b02330b790aa8de1cee164b70f72ExploitThird Party Advisory
- https://github.com/tensorflow/tensorflow/commit/955059813cc325dc1db5e2daa6221271PatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-pqrv-8r2f-7278PatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/blob/274df9b02330b790aa8de1cee164b70f72ExploitThird Party Advisory
- https://github.com/tensorflow/tensorflow/commit/955059813cc325dc1db5e2daa6221271PatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-pqrv-8r2f-7278PatchThird Party Advisory
FAQ
What is CVE-2022-23590?
CVE-2022-23590 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Tensorflow is an Open Source Machine Learning Framework. A `GraphDef` from a TensorFlow `SavedModel` can be maliciously altered to cause a TensorFlow process to crash due to encountering a `StatusOr` ...
How severe is CVE-2022-23590?
CVE-2022-23590 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23590?
Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow.