Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS14OTg5LXEycHEtNHE1eM4AAu2h

Moderate EPSS: 0.00181% (0.40069 Percentile) EPSS:
Permalink JSON

TensorFlow vulnerable to Int overflow in `RaggedRangeOp`

Affected Packages Affected Versions Fixed Versions
pypi:tensorflow-gpu
PURL: pkg:pypi/tensorflow-gpu
>= 2.9.0, < 2.9.1, >= 2.8.0, < 2.8.1, < 2.7.2 2.9.1, 2.8.1, 2.7.2
155 Dependent packages
11,499 Dependent repositories
84,404 Downloads last month

Affected Version Ranges

All affected versions

0.12.0, 0.12.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.12.2, 1.12.3, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.0rc0, 2.7.0rc1, 2.7.1, 2.8.0, 2.8.0rc0, 2.8.0rc1, 2.9.0, 2.9.0rc0, 2.9.0rc1, 2.9.0rc2

All unaffected versions

2.7.2, 2.7.3, 2.7.4, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.0rc0, 2.10.0rc1, 2.10.0rc2, 2.10.0rc3, 2.10.1, 2.11.0, 2.11.0rc0, 2.11.0rc1, 2.11.0rc2, 2.12.0
pypi:tensorflow-cpu
PURL: pkg:pypi/tensorflow-cpu
>= 2.9.0, < 2.9.1, >= 2.8.0, < 2.8.1, < 2.7.2 2.9.1, 2.8.1, 2.7.2
88 Dependent packages
2,483 Dependent repositories
1,313,702 Downloads last month

Affected Version Ranges

All affected versions

1.15.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.0rc0, 2.7.0rc1, 2.7.1, 2.8.0, 2.8.0rc0, 2.8.0rc1, 2.9.0, 2.9.0rc0, 2.9.0rc1, 2.9.0rc2

All unaffected versions

2.7.2, 2.7.3, 2.7.4, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.0rc0, 2.10.0rc1, 2.10.0rc2, 2.10.0rc3, 2.10.1, 2.11.0, 2.11.0rc0, 2.11.0rc1, 2.11.0rc2, 2.11.1, 2.12.0, 2.12.0rc0, 2.12.0rc1, 2.12.1, 2.13.0, 2.13.0rc0, 2.13.0rc1, 2.13.0rc2, 2.13.1, 2.14.0, 2.14.0rc0, 2.14.0rc1, 2.14.1, 2.15.0, 2.15.0rc0, 2.15.0rc1, 2.15.1, 2.16.0rc0, 2.16.1, 2.16.2, 2.17.0, 2.17.0rc0, 2.17.0rc1, 2.17.1, 2.18.0, 2.18.0rc0, 2.18.0rc1, 2.18.0rc2, 2.18.1, 2.19.0, 2.19.0rc0, 2.19.1, 2.20.0, 2.20.0rc0
pypi:tensorflow
PURL: pkg:pypi/tensorflow
>= 2.9.0, < 2.9.1, >= 2.8.0, < 2.8.1, < 2.7.2 2.9.1, 2.8.1, 2.7.2
2,172 Dependent packages
73,755 Dependent repositories
21,825,433 Downloads last month

Affected Version Ranges

All affected versions

0.12.0, 0.12.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.12.2, 1.12.3, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.0rc0, 2.2.0rc1, 2.2.0rc2, 2.2.0rc3, 2.2.0rc4, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.0rc0, 2.3.0rc1, 2.3.0rc2, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.0rc0, 2.4.0rc1, 2.4.0rc2, 2.4.0rc3, 2.4.0rc4, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.0rc0, 2.5.0rc1, 2.5.0rc2, 2.5.0rc3, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.0rc0, 2.6.0rc1, 2.6.0rc2, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.0rc0, 2.7.0rc1, 2.7.1, 2.8.0, 2.8.0rc0, 2.8.0rc1, 2.9.0, 2.9.0rc0, 2.9.0rc1, 2.9.0rc2

All unaffected versions

2.7.2, 2.7.3, 2.7.4, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.0rc0, 2.10.0rc1, 2.10.0rc2, 2.10.0rc3, 2.10.1, 2.11.0, 2.11.0rc0, 2.11.0rc1, 2.11.0rc2, 2.11.1, 2.12.0, 2.12.0rc0, 2.12.0rc1, 2.12.1, 2.13.0, 2.13.0rc0, 2.13.0rc1, 2.13.0rc2, 2.13.1, 2.14.0, 2.14.0rc0, 2.14.0rc1, 2.14.1, 2.15.0, 2.15.0rc0, 2.15.0rc1, 2.15.1, 2.16.0rc0, 2.16.1, 2.16.2, 2.17.0, 2.17.0rc0, 2.17.0rc1, 2.17.1, 2.18.0, 2.18.0rc0, 2.18.0rc1, 2.18.0rc2, 2.18.1, 2.19.0, 2.19.0rc0, 2.19.1, 2.20.0rc0

Impact

The RaggedRangOp function takes an argument limits that is eventually used to construct a TensorShape as an int64. If limits is a very large float, it can overflow when converted to an int64. This triggers an InvalidArgument but also throws an abort signal that crashes the program.

import tensorflow as tf
tf.raw_ops.RaggedRange(starts=[1.1,0.1],limits=[10.0,1e20],deltas=[1,1])

Patches

We have patched the issue in GitHub commit 37cefa91bee4eace55715eeef43720b958a01192.

The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Jingyi Shi.

References:

Identifiers

GHSA-x989-q2pq-4q5x

CVE-2022-35940

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00181

EPSS Percentile: 0.40069

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/tensorflow/tensorflow

Date and time

Published

about 3 years ago

Updated

1 day ago

API

JSON