Vulnerability Description
Tensorflow is an Open Source Machine Learning Framework. When building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference. In the default scenario, all devices are allowed, so `flr->config_proto` is `nullptr`. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tensorflow | <= 2.5.2 |
Related Weaknesses (CWE)
References
- https://github.com/tensorflow/tensorflow/blob/274df9b02330b790aa8de1cee164b70f72ExploitThird Party Advisory
- https://github.com/tensorflow/tensorflow/commit/e21af685e1828f7ca65038307df5cc06PatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fpcp-9h7m-ffpxPatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/blob/274df9b02330b790aa8de1cee164b70f72ExploitThird Party Advisory
- https://github.com/tensorflow/tensorflow/commit/e21af685e1828f7ca65038307df5cc06PatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fpcp-9h7m-ffpxPatchThird Party Advisory
FAQ
What is CVE-2022-23595?
CVE-2022-23595 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Tensorflow is an Open Source Machine Learning Framework. When building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference. In the default scenario, ...
How severe is CVE-2022-23595?
CVE-2022-23595 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23595?
Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow.