mezidia-inspector[bot]
commented
2 years ago Nice, one of tasks is done
Open mend-bolt-for-github[bot] opened 2 years ago
mezidia-inspector[bot]
commented
2 years ago Nice, one of tasks is done
mezidia-inspector[bot]
commented
2 years ago Nice to meet you, @mend-bolt-for-github[bot]. Thank you for creating an issue. There are some tasks for you:
To close issue send comment "close", to reopen - "reopen"
secure-code-warrior-for-github[bot]
commented
2 years ago A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer.
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
secure-code-warrior-for-github[bot]
commented
8 months ago Integer overflow occurs when the result of arithmetic operation is greater than the maximum value the integer data type can store. For example, if an integer data type allows integers up to two bytes or 16 bits in length (or an unsigned number up to decimal 65,535), and two integers are to be added together that will exceed the value of 65,535, the result will be integer overflow.
TensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-25668
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.
Publish Date: 2023-03-24
URL: CVE-2023-25668
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-gw97-ff7c-9v96
Release Date: 2023-03-24
Fix Resolution: 2.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2022-0401
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsAnother instance of CVE-2022-35991, where TensorListScatter and TensorListScatterV2 crash via non scalar inputs inelement_shape, was found in eager mode and fixed.
Publish Date: 2024-11-03
URL: WS-2022-0401
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-xf83-q765-xm6m
Release Date: 2024-11-03
Fix Resolution: 2.10.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-33976
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an end-to-end open source platform for machine learning. `array_ops.upper_bound` causes a segfault when not given a rank 2 tensor. The fix will be included in TensorFlow 2.13 and will also cherrypick this commit on TensorFlow 2.12.
Publish Date: 2024-07-30
URL: CVE-2023-33976
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gjh7-xx4r-x345
Release Date: 2024-07-30
Fix Resolution: 2.12.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-25676
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, `tf.raw_ops.ParallelConcat` segfaults with a nullptr dereference when given a parameter `shape` with rank that is not greater than zero. A fix is available in TensorFlow 2.12.0 and 2.11.1.
Publish Date: 2023-03-24
URL: CVE-2023-25676
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6wfh-89q8-44jq
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-25675
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, `tf.raw_ops.Bincount` segfaults when given a parameter `weights` that is neither the same shape as parameter `arr` nor a length-0 tensor. A fix is included in TensorFlow 2.12.0 and 2.11.1.
Publish Date: 2023-03-24
URL: CVE-2023-25675
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7x4v-9gxg-9hwj
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-25674
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an open source machine learning platform. Versions prior to 2.12.0 and 2.11.1 have a null pointer error in RandomShuffle with XLA enabled. A fix is included in TensorFlow 2.12.0 and 2.11.1.
Publish Date: 2023-03-24
URL: CVE-2023-25674
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gf97-q72m-7579
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-25673
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a Floating Point Exception in TensorListSplit with XLA. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-24
URL: CVE-2023-25673
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-647v-r7qq-24fh
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-25672
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an open source platform for machine learning. The function `tf.raw_ops.LookupTableImportV2` cannot handle scalars in the `values` parameter and gives an NPE. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-24
URL: CVE-2023-25672
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-94mm-g2mv-8p7r
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-25671
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an open source platform for machine learning. There is out-of-bounds access due to mismatched integer type sizes. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-24
URL: CVE-2023-25671
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-25671
Release Date: 2023-03-24
Fix Resolution: 2.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-25670
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a null point error in QuantizedMatMulWithBiasAndDequantize with MKL enabled. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-24
URL: CVE-2023-25670
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-49rq-hwc3-x77w
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-25669
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the stride and window size are not positive for `tf.raw_ops.AvgPoolGrad`, it can give a floating point exception. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-24
URL: CVE-2023-25669
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rcf8-g8jv-vg6p
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-25665
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when `SparseSparseMaximum` is given invalid sparse tensors as inputs, it can give a null pointer error. A fix is included in TensorFlow version 2.12 and version 2.11.1.
Publish Date: 2023-03-24
URL: CVE-2023-25665
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-25665
Release Date: 2023-03-24
Fix Resolution: 2.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-25664
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a heap buffer overflow in TAvgPoolGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.
Publish Date: 2023-03-24
URL: CVE-2023-25664
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6hg6-5c2q-7rcr
Release Date: 2023-03-24
Fix Resolution: 2.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-25663
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when `ctx->step_containter()` is a null ptr, the Lookup function will be executed with a null pointer. A fix is included in TensorFlow 2.12.0 and 2.11.1.
Publish Date: 2023-03-24
URL: CVE-2023-25663
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-64jg-wjww-7c5w
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-25662
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 are vulnerable to integer overflow in EditDistance. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-24
URL: CVE-2023-25662
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7jvm-xxmr-v5cw
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-25660
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when the parameter `summarize` of `tf.raw_ops.Print` is zero, the new method `SummarizeArray` will reference to a nullptr, leading to a seg fault. A fix is included in TensorFlow version 2.12 and version 2.11.1.
### CVSS 3 Score Details (7.5)Publish Date: 2023-03-24
URL: CVE-2023-25660
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qjqc-vqcf-5qvj
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-25659
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the parameter `indices` for `DynamicStitch` does not match the shape of the parameter `data`, it can trigger an stack OOB read. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Publish Date: 2023-03-24
URL: CVE-2023-25659
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-93vr-9q9m-pj8p
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-25658
### Vulnerable Library - tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whlTensorFlow is an open source machine learning framework for everyone.
Library home page: https://files.pythonhosted.org/packages/3f/cd/9c217589c88448d67a4c755c4215cfae3e261e0af357ee81b9a5d7a96eda/tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **tensorflow-2.10.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
### Vulnerability DetailsTensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, an out of bounds read is in GRUBlockCellGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.
Publish Date: 2023-03-24
URL: CVE-2023-25658
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-68v3-g9cm-rmm6
Release Date: 2023-03-24
Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)