CVE-2022-41901
18.11.2022, 22:15
TensorFlow is an open source platform for machine learning. An input `sparse_matrix` that is not a matrix with a shape with rank 0 will trigger a `CHECK` fail in `tf.raw_ops.SparseMatrixNNZ`. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| tensorflow | 𝑥 < 2.8.4 | |
| tensorflow | 2.9.0 ≤ 𝑥 < 2.9.3 | |
| tensorflow | 2.10.0 ≤ 𝑥 < 2.10.1 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| tensorflow | tensorflow | 𝑥 < 2.8.4 | CNA |
Common Weakness Enumeration
- CWE-20 - Improper Input ValidationThe product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- CWE-617 - Reachable AssertionThe product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
References