CVE-2022-29207 — MEDIUM (5.5)

Q: How severe is CVE-2022-29207?

CVE-2022-29207 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-29207?

Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow.

Vulnerability Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, multiple TensorFlow operations misbehave in eager mode when the resource handle provided to them is invalid. In graph mode, it would have been impossible to perform these API calls, but migration to TF 2.x eager mode opened up this vulnerability. If the resource handle is empty, then a reference is bound to a null pointer inside TensorFlow codebase (various codepaths). This is undefined behavior. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Google	Tensorflow	< 2.6.4

Related Weaknesses (CWE)

CWE-20 CWE-475

References

https://github.com/tensorflow/tensorflow/commit/a5b89cd68c02329d793356bda85d079ePatchThird Party Advisory
https://github.com/tensorflow/tensorflow/commit/dbdd98c37bc25249e8f288bd30d01e11PatchThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4Release NotesThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2Release NotesThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1Release NotesThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0Release NotesThird Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-5wpj-c6f7-24x8ExploitPatchThird Party Advisory
https://github.com/tensorflow/tensorflow/commit/a5b89cd68c02329d793356bda85d079ePatchThird Party Advisory
https://github.com/tensorflow/tensorflow/commit/dbdd98c37bc25249e8f288bd30d01e11PatchThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4Release NotesThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2Release NotesThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1Release NotesThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0Release NotesThird Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-5wpj-c6f7-24x8ExploitPatchThird Party Advisory

FAQ

What is CVE-2022-29207?

CVE-2022-29207 is a vulnerability with a CVSS score of 5.5 (MEDIUM). TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, multiple TensorFlow operations misbehave in eager mode when the resource handle provided t...

How severe is CVE-2022-29207?

CVE-2022-29207 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-29207?

Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow.