Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1xeDNmLXA3NDUtdzRocs0ogg

Integer overflow in Tensorflow

Impact

The implementation of Range suffers from integer overflows. These can trigger undefined behavior or, in some scenarios, extremely large allocations.

Patches

We have patched the issue in GitHub commit f0147751fd5d2ff23251149ebad9af9f03010732 (merging #51733).

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported externally via a GitHub issue.

Permalink: https://github.com/advisories/GHSA-qx3f-p745-w4hr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xeDNmLXA3NDUtdzRocs0ogg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: about 1 year ago


CVSS Score: 7.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Identifiers: GHSA-qx3f-p745-w4hr, CVE-2022-23562
References: Repository: https://github.com/tensorflow/tensorflow
Blast Radius: 37.0

Affected Packages

pypi:tensorflow-gpu
Dependent packages: 146
Dependent repositories: 11,499
Downloads: 350,104 last month
Affected Version Ranges: = 2.7.0, >= 2.6.0, < 2.6.3, < 2.5.3
Fixed in: 2.7.1, 2.6.3, 2.5.3
All affected versions: 0.12.0, 0.12.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.12.2, 1.12.3, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.7.0
All unaffected versions: 2.5.3, 2.6.3, 2.6.4, 2.6.5, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.11.0, 2.12.0
pypi:tensorflow-cpu
Dependent packages: 71
Dependent repositories: 2,483
Downloads: 940,986 last month
Affected Version Ranges: = 2.7.0, >= 2.6.0, < 2.6.3, < 2.5.3
Fixed in: 2.7.1, 2.6.3, 2.5.3
All affected versions: 1.15.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.7.0
All unaffected versions: 2.5.3, 2.6.3, 2.6.4, 2.6.5, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.15.0, 2.15.1, 2.16.1
pypi:tensorflow
Dependent packages: 1,733
Dependent repositories: 73,755
Downloads: 22,369,513 last month
Affected Version Ranges: = 2.7.0, >= 2.6.0, < 2.6.3, < 2.5.3
Fixed in: 2.7.1, 2.6.3, 2.5.3
All affected versions: 0.12.0, 0.12.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.12.2, 1.12.3, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.7.0
All unaffected versions: 2.5.3, 2.6.3, 2.6.4, 2.6.5, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.15.0, 2.15.1, 2.16.1