BIT-tensorflow-2022-29216
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/tensorflow/BIT-tensorflow-2022-29216.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/BIT-tensorflow-2022-29216
- Aliases
- Published
- 2024-03-06T11:14:12.803Z
- Modified
- 2024-03-06T11:25:28.861Z
- Summary
- [none]
- Details
-
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, TensorFlow's
saved_model_clitool is vulnerable to a code injection. This can be used to open a reverse shell. This code path was maintained for compatibility reasons as the maintainers had several test cases where numpy expressions were used as arguments. However, given that the tool is always run manually, the impact of this is still not severe. The maintainers have now removed thesafe=Falseargument, so all parsing is done without callingeval. The patch is available in versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4. - Database specific
{ "cpes": [ "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*", "cpe:2.3:a:google:tensorflow:2.7.0:rc0:*:*:*:*:*:*", "cpe:2.3:a:google:tensorflow:2.7.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:google:tensorflow:2.8.0:-:*:*:*:*:*:*", "cpe:2.3:a:google:tensorflow:2.8.0:rc0:*:*:*:*:*:*", "cpe:2.3:a:google:tensorflow:2.8.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:google:tensorflow:2.9.0:rc0:*:*:*:*:*:*", "cpe:2.3:a:google:tensorflow:2.9.0:rc1:*:*:*:*:*:*" ], "severity": "High" }- References
-
- https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/python/tools/saved_model_cli.py#L566-L574
- https://github.com/tensorflow/tensorflow/commit/8b202f08d52e8206af2bdb2112a62fafbc546ec7
- https://github.com/tensorflow/tensorflow/commit/c5da7af048611aa29e9382371f0aed5018516cac
- https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4
- https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2
- https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1
- https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-75c9-jrh4-79mc
Affected packages
Bitnami / tensorflow
Package
- Name
- tensorflow
- Purl
- pkg:bitnami/tensorflow
Severity
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.6.4Introduced2.7.0Fixed2.7.2
- Type
- SEMVER
- Events
-
Introduced2.7.0-rc0Last affected2.7.0-rc0Introduced2.7.0-rc1Last affected2.7.0-rc1Introduced2.8.0Last affected2.8.0Introduced2.8.0-rc0Last affected2.8.0-rc0Introduced2.8.0-rc1Last affected2.8.0-rc1Introduced2.9.0-rc0Last affected2.9.0-rc0Introduced2.9.0-rc1Last affected2.9.0-rc1