CVE-2022-29208 — HIGH (7.1)

Q: How severe is CVE-2022-29208?

CVE-2022-29208 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-29208?

Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow.

Vulnerability Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.EditDistance` has incomplete validation. Users can pass negative values to cause a segmentation fault based denial of service. In multiple places throughout the code, one may compute an index for a write operation. However, the existing validation only checks against the upper bound of the array. Hence, it is possible to write before the array by massaging the input to generate negative values for `loc`. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

CVSS Score

7.1

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Google	Tensorflow	< 2.6.4

Related Weaknesses (CWE)

CWE-787

References

https://github.com/tensorflow/tensorflow/commit/30721cf564cb029d34535446d6a5a635PatchThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4Release NotesThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2Release NotesThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1Release NotesThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0Release NotesThird Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2r2f-g8mw-9gvrExploitPatchThird Party Advisory
https://github.com/tensorflow/tensorflow/commit/30721cf564cb029d34535446d6a5a635PatchThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4Release NotesThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2Release NotesThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1Release NotesThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0Release NotesThird Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2r2f-g8mw-9gvrExploitPatchThird Party Advisory

FAQ

What is CVE-2022-29208?

CVE-2022-29208 is a vulnerability with a CVSS score of 7.1 (HIGH). TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.EditDistance` has incomplete validation. Users can pass ...

How severe is CVE-2022-29208?

CVE-2022-29208 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-29208?

Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow.