PYSEC-2022-123

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/tensorflow-gpu/PYSEC-2022-123.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2022-123
Aliases
Published
2022-02-04T23:15:00Z
Modified
2023-12-06T00:46:57.671422Z
Summary
[none]
Details

Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations. Both embedding_size and lookup_size are products of values provided by the user. Hence, a malicious user could trigger overflows in the multiplication. In certain scenarios, this can then result in heap OOB read/write. Users are advised to upgrade to a patched version.

References

Affected packages

PyPI / tensorflow-gpu

Package

Affected ranges

Type
GIT
Repo
https://github.com/tensorflow/tensorflow
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Fixed
Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.5.3
Introduced
2.6.0
Fixed
2.6.3

Affected versions

0.*

0.12.0
0.12.1

1.*

1.0.0
1.0.1
1.1.0
1.2.0
1.2.1
1.3.0
1.4.0
1.4.1
1.5.0
1.5.1
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.10.0
1.10.1
1.11.0
1.12.0
1.12.2
1.12.3
1.13.1
1.13.2
1.14.0
1.15.0
1.15.2
1.15.3
1.15.4
1.15.5

2.*

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0
2.2.1
2.2.2
2.2.3
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2