tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl: 18 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Oops, something went wrong. We couldn’t find a fix. Support token-372b377003ce4ef688767cf5bebaf8d3

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (tensorflow version)	Fix PR available
CVE-2023-25668	Critical	9.8	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
CVE-2023-25664	Critical	9.8	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
WS-2022-0401	High	7.5	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
CVE-2023-25671	High	7.5	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
CVE-2023-25665	High	7.5	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
CVE-2022-41911	High	7.5	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
CVE-2022-41909	High	7.5	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
CVE-2022-41901	High	7.5	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
CVE-2022-41899	High	7.5	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
CVE-2022-41898	High	7.5	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
CVE-2022-41896	High	7.5	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
CVE-2022-41891	High	7.5	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
CVE-2022-41887	High	7.5	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
CVE-2022-41885	High	7.5	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
CVE-2022-36014	High	7.5	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
CVE-2022-36013	High	7.5	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
CVE-2022-35941	High	7.5	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌
CVE-2023-25661	Medium	6.5	tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl	Direct	N/A	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-25668

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25668

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-gw97-ff7c-9v96

Release Date: 2023-03-25

Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0

In order to enable automatic remediation, please create workflow rules

CVE-2023-25664

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a heap buffer overflow in TAvgPoolGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25664

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6hg6-5c2q-7rcr

Release Date: 2023-03-25

Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0

In order to enable automatic remediation, please create workflow rules

WS-2022-0401

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Another instance of CVE-2022-35991, where TensorListScatter and TensorListScatterV2 crash via non scalar inputs inelement_shape, was found in eager mode and fixed.

Publish Date: 2022-11-22

URL: WS-2022-0401

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-xf83-q765-xm6m

Release Date: 2022-11-22

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1

In order to enable automatic remediation, please create workflow rules

CVE-2023-25671

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an open source platform for machine learning. There is out-of-bounds access due to mismatched integer type sizes. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25671

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-25671

Release Date: 2023-03-25

Fix Resolution: tensorflow - 2.11.1, 2.12.0, tensorflow-cpu - 2.11.1, 2.12.0

In order to enable automatic remediation, please create workflow rules

CVE-2023-25665

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when `SparseSparseMaximum` is given invalid sparse tensors as inputs, it can give a null pointer error. A fix is included in TensorFlow version 2.12 and version 2.11.1.

Publish Date: 2023-03-25

URL: CVE-2023-25665

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-25665

Release Date: 2023-03-25

Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0, tensorflow-gpu - 2.11.1,2.12.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-41911

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a `const char*` array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from `char` to `bool` are undefined if the `char` is not `0` or `1`, so sanitizers/fuzzers will crash. The issue has been patched in GitHub commit `1be74370327`. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1, TensorFlow 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41911

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-pf36-r9c6-h97j

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4,2.9.3,2.10.1,2.11.0;tensorflow-cpu - 2.8.4,2.9.3,2.10.1,2.11.0;tensorflow-gpu - 2.8.4,2.9.3,2.10.1,2.11.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-41909

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an open source platform for machine learning. An input `encoded` that is not a valid `CompositeTensorVariant` tensor will trigger a segfault in `tf.raw_ops.CompositeTensorVariantToComponents`. We have patched the issue in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and 660ce5a89eb6766834bdc303d2ab3902aef99d3d. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41909

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41909

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.8.4, 2.9.3, 2.10.1, 2.11.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-41901

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an open source platform for machine learning. An input `sparse_matrix` that is not a matrix with a shape with rank 0 will trigger a `CHECK` fail in `tf.raw_ops.SparseMatrixNNZ`. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41901

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-g9fm-r5mm-rf9f

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1

In order to enable automatic remediation, please create workflow rules

CVE-2022-41899

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an open source platform for machine learning. Inputs `dense_features` or `example_state_data` not of rank 2 will trigger a `CHECK` fail in `SdcaOptimizer`. We have patched the issue in GitHub commit 80ff197d03db2a70c6a111f97dcdacad1b0babfa. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41899

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1

Release Date: 2022-11-18

Fix Resolution: https://github.com/advisories/GHSA-27rc-728f-x5w2

In order to enable automatic remediation, please create workflow rules

CVE-2022-41898

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an open source platform for machine learning. If `SparseFillEmptyRowsGrad` is given empty inputs, TensorFlow will crash. We have patched the issue in GitHub commit af4a6a3c8b95022c351edae94560acc61253a1b8. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41898

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-hq7g-wwwp-q46h

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1

In order to enable automatic remediation, please create workflow rules

CVE-2022-41896

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an open source platform for machine learning. If `ThreadUnsafeUnigramCandidateSampler` is given input `filterbank_channel_count` greater than the allowed max size, TensorFlow will crash. We have patched the issue in GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41896

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1

Release Date: 2022-11-18

Fix Resolution: https://github.com/advisories/GHSA-rmg2-f698-wq35

In order to enable automatic remediation, please create workflow rules

CVE-2022-41891

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an open source platform for machine learning. If `tf.raw_ops.TensorListConcat` is given `element_shape=[]`, it results segmentation fault which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit fc33f3dc4c14051a83eec6535b608abe1d355fde. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41891

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: tensorflow - 2.8.4,2.9.3,2.10.1;tensorflow-cpu - 2.8.4,2.9.3,2.10.1;tensorflow-gpu - 2.8.4,2.9.3,2.10.1

Release Date: 2022-11-18

Fix Resolution: https://github.com/advisories/GHSA-66vq-54fq-6jvv

In order to enable automatic remediation, please create workflow rules

CVE-2022-41887

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an open source platform for machine learning. `tf.keras.losses.poisson` receives a `y_pred` and `y_true` that are passed through `functor::mul` in `BinaryOp`. If the resulting dimensions overflow an `int32`, TensorFlow will crash due to a size mismatch during broadcast assignment. We have patched the issue in GitHub commit c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1 and 2.9.3, as these are also affected and still in supported range. However, we will not cherrypick this commit into TensorFlow 2.8.x, as it depends on Eigen behavior that changed between 2.8 and 2.9.

Publish Date: 2022-11-18

URL: CVE-2022-41887

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41887

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.9.3, 2.10.1, 2.11.0, tensorflow-cpu - 2.9.3, 2.10.1, 2.11.0, tensorflow-gpu - 2.9.3, 2.10.1, 2.11.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-41885

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an open source platform for machine learning. When `tf.raw_ops.FusedResizeAndPadConv2D` is given a large tensor shape, it overflows. We have patched the issue in GitHub commit d66e1d568275e6a2947de97dca7a102a211e01ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Publish Date: 2022-11-18

URL: CVE-2022-41885

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-41885

Release Date: 2022-11-18

Fix Resolution: tensorflow - 2.7.4, 2.8.1, 2.9.1, 2.10.0, tensorflow-cpu - 2.7.4, 2.8.1, 2.9.1, 2.10.0, tensorflow-gpu - 2.7.4, 2.8.1, 2.9.1, 2.10.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-36014

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an open source platform for machine learning. When `mlir::tfg::TFOp::nameAttr` receives null type list attributes, it crashes. We have patched the issue in GitHub commits 3a754740d5414e362512ee981eefba41561a63a6 and a0f0b9a21c9270930457095092f558fbad4c03e5. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Publish Date: 2022-09-16

URL: CVE-2022-36014

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7j3m-8g3c-9qqq

Release Date: 2022-09-16

Fix Resolution: tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-36013

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an open source platform for machine learning. When `mlir::tfg::GraphDefImporter::ConvertNodeDef` tries to convert NodeDefs without an op name, it crashes. We have patched the issue in GitHub commit a0f0b9a21c9270930457095092f558fbad4c03e5. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Publish Date: 2022-09-16

URL: CVE-2022-36013

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-828c-5j5q-vrjq

Release Date: 2022-09-16

Fix Resolution: tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-35941

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an open source platform for machine learning. The `AvgPoolOp` function takes an argument `ksize` that must be positive but is not checked. A negative `ksize` can trigger a `CHECK` failure and crash the program. We have patched the issue in GitHub commit 3a6ac52664c6c095aa2b114e742b0aa17fdce78f. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds to this issue.

Publish Date: 2022-09-16

URL: CVE-2022-35941

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rh87-q4vg-m45j

Release Date: 2022-09-16

Fix Resolution: tensorflow - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-cpu - 2.7.2,2.8.1,2.9.1,2.10.0, tensorflow-gpu - 2.7.2,2.8.1,2.9.1,2.10.0

In order to enable automatic remediation, please create workflow rules

CVE-2023-25661

### Vulnerable Library - tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

TensorFlow is an open source machine learning framework for everyone.

Library home page: https://files.pythonhosted.org/packages/3d/bc/cb620fe631574bcd8abb97339bd494ea91e311c35a94a9a1582398ee3c77/tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **tensorflow-2.6.4-cp37-cp37m-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

TensorFlow is an Open Source Machine Learning Framework. In versions prior to 2.11.1 a malicious invalid input crashes a tensorflow model (Check Failed) and can be used to trigger a denial of service attack. A proof of concept can be constructed with the `Convolution3DTranspose` function. This Convolution3DTranspose layer is a very common API in modern neural networks. The ML models containing such vulnerable components could be deployed in ML applications or as cloud services. This failure could be potentially used to trigger a denial of service attack on ML cloud services. An attacker must have privilege to provide input to a `Convolution3DTranspose` call. This issue has been patched and users are advised to upgrade to version 2.11.1. There are no known workarounds for this vulnerability.

Publish Date: 2023-03-27

URL: CVE-2023-25661

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fxgc-95xx-grvq

Release Date: 2023-03-27

Fix Resolution: tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0

In order to enable automatic remediation, please create workflow rules

DEV-REPO-URIEL / WSD-2772