Search for packages
| purl | pkg:pypi/tensorflow-cpu@2.10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-162b-e4ey-kfb6
Aliases: CVE-2022-41902 GHSA-cg88-rpvp-cjv5 GMS-2022-6995 GMS-2022-7003 GMS-2022-7011 |
TensorFlow is an open source platform for machine learning. The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. We have patched the issue in GitHub commit a65411a1d69edfb16b25907ffb8f73556ce36bb7. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.8.4, 2.9.3, and 2.10.1. |
Affected by 22 other vulnerabilities. |
|
VCID-18pt-kr33-2yer
Aliases: CVE-2023-25672 GHSA-94mm-g2mv-8p7r |
Affected by 1 other vulnerability. |
|
|
VCID-1g5k-pk73-xuag
Aliases: CVE-2023-25665 GHSA-558h-mq8x-7q9g |
Affected by 1 other vulnerability. |
|
|
VCID-3f8t-3shh-4yd3
Aliases: CVE-2023-33976 GHSA-gjh7-xx4r-x345 |
TensorFlow is an end-to-end open source platform for machine learning. `array_ops.upper_bound` causes a segfault when not given a rank 2 tensor. The fix will be included in TensorFlow 2.13 and will also cherrypick this commit on TensorFlow 2.12. |
Affected by 0 other vulnerabilities. |
|
VCID-43qh-mkdk-8qdg
Aliases: CVE-2022-41886 GHSA-54pp-c6pp-7fpx |
TensorFlow is an open source platform for machine learning. When `tf.raw_ops.ImageProjectiveTransformV2` is given a large output shape, it overflows. We have patched the issue in GitHub commit 8faa6ea692985dbe6ce10e1a3168e0bd60a723ba. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. |
Affected by 22 other vulnerabilities. |
|
VCID-5gxh-jraz-qqgt
Aliases: CVE-2022-41901 GHSA-g9fm-r5mm-rf9f |
`CHECK_EQ` fail via input in `SparseMatrixNNZ` |
Affected by 22 other vulnerabilities. |
|
VCID-6d3g-yrc1-skgp
Aliases: CVE-2022-41891 GHSA-66vq-54fq-6jvv |
TensorFlow is an open source platform for machine learning. If `tf.raw_ops.TensorListConcat` is given `element_shape=[]`, it results segmentation fault which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit fc33f3dc4c14051a83eec6535b608abe1d355fde. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. |
Affected by 22 other vulnerabilities. |
|
VCID-6d4y-v122-pffp
Aliases: CVE-2023-25669 GHSA-rcf8-g8jv-vg6p |
Affected by 1 other vulnerability. |
|
|
VCID-6ujk-5hn7-g7dj
Aliases: CVE-2023-25801 GHSA-f49c-87jh-g47q |
Affected by 1 other vulnerability. |
|
|
VCID-8mbh-74v8-57bn
Aliases: CVE-2022-41889 GHSA-xxcj-rhqg-m46g |
TensorFlow is an open source platform for machine learning. If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a `nullptr`, which is not caught. An example can be seen in `tf.compat.v1.extract_volume_patches` by passing in quantized tensors as input `ksizes`. We have patched the issue in GitHub commit e9e95553e5411834d215e6770c81a83a3d0866ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. |
Affected by 22 other vulnerabilities. |
|
VCID-aq4b-cxh4-pqgy
Aliases: CVE-2023-25658 GHSA-68v3-g9cm-rmm6 |
Affected by 1 other vulnerability. |
|
|
VCID-cp1r-46ub-8yg8
Aliases: CVE-2023-25660 GHSA-qjqc-vqcf-5qvj |
Affected by 1 other vulnerability. |
|
|
VCID-cs1n-e4ng-wbhu
Aliases: CVE-2022-41908 GHSA-mv77-9g28-cwg3 |
TensorFlow is an open source platform for machine learning. An input `token` that is not a UTF-8 bytestring will trigger a `CHECK` fail in `tf.raw_ops.PyFunc`. We have patched the issue in GitHub commit 9f03a9d3bafe902c1e6beb105b2f24172f238645. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. |
Affected by 22 other vulnerabilities. |
|
VCID-css2-4pa4-87gx
Aliases: CVE-2023-25663 GHSA-64jg-wjww-7c5w |
Affected by 1 other vulnerability. |
|
|
VCID-egjs-r2ed-hbfe
Aliases: CVE-2022-41910 GHSA-frqp-wp83-qggv GMS-2022-6997 GMS-2022-7005 GMS-2022-7013 |
Heap overflow in `QuantizeAndDequantizeV2` |
Affected by 22 other vulnerabilities. |
|
VCID-esen-w1rc-73du
Aliases: CVE-2023-25674 GHSA-gf97-q72m-7579 |
Affected by 1 other vulnerability. |
|
|
VCID-f186-75wf-3bd5
Aliases: CVE-2023-25664 GHSA-6hg6-5c2q-7rcr |
Affected by 1 other vulnerability. |
|
|
VCID-f522-fb48-b3gc
Aliases: CVE-2022-41888 GHSA-6x99-gv2v-q76v |
TensorFlow is an open source platform for machine learning. When running on GPU, `tf.image.generate_bounding_box_proposals` receives a `scores` input that must be of rank 4 but is not checked. We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. |
Affected by 22 other vulnerabilities. |
|
VCID-fujj-xc7u-ducv
Aliases: CVE-2023-25673 GHSA-647v-r7qq-24fh |
Affected by 1 other vulnerability. |
|
|
VCID-gkxw-ufq4-2ffz
Aliases: CVE-2022-41896 GHSA-rmg2-f698-wq35 |
TensorFlow is an open source platform for machine learning. If `ThreadUnsafeUnigramCandidateSampler` is given input `filterbank_channel_count` greater than the allowed max size, TensorFlow will crash. We have patched the issue in GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. |
Affected by 22 other vulnerabilities. |
|
VCID-hp3e-kt3d-ykfr
Aliases: CVE-2023-25670 GHSA-49rq-hwc3-x77w |
Affected by 1 other vulnerability. |
|
|
VCID-j4sc-7ycd-vkc4
Aliases: CVE-2022-41900 GHSA-xvwp-h6jv-7472 |
FractionalMaxPool and FractionalAVGPool heap out-of-bounds acess |
Affected by 22 other vulnerabilities. |
|
VCID-jc4n-4jfy-x7ez
Aliases: CVE-2023-25668 GHSA-gw97-ff7c-9v96 |
Affected by 1 other vulnerability. |
|
|
VCID-jgys-5pnb-tkfk
Aliases: GHSA-cqvq-fvhr-v6hc GMS-2022-6996 GMS-2022-7004 GMS-2022-7012 |
`CHECK` failure in `SobolSample` via missing validation |
Affected by 22 other vulnerabilities. |
|
VCID-jhgz-re77-hkf5
Aliases: CVE-2022-41884 GHSA-jq6x-99hj-q636 |
Seg fault in `ndarray_tensor_bridge` due to zero and large inputs |
Affected by 22 other vulnerabilities. |
|
VCID-mjz8-5aee-8bhn
Aliases: CVE-2023-25662 GHSA-7jvm-xxmr-v5cw |
Affected by 1 other vulnerability. |
|
|
VCID-n8np-2f5x-abd4
Aliases: GHSA-xf83-q765-xm6m GMS-2022-7001 GMS-2022-7009 GMS-2022-7017 |
`CHECK` fail in `TensorListScatter` and `TensorListScatterV2` in eager mode |
Affected by 22 other vulnerabilities. |
|
VCID-p36a-eb5k-rqgu
Aliases: CVE-2023-25667 GHSA-fqm2-gh8w-gr68 |
Affected by 1 other vulnerability. |
|
|
VCID-pr47-unnv-d7a9
Aliases: CVE-2023-27579 GHSA-5w96-866f-6rm8 |
Affected by 1 other vulnerability. |
|
|
VCID-r7qz-zsk3-sqaq
Aliases: CVE-2022-41911 GHSA-pf36-r9c6-h97j |
TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a `const char*` array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from `char` to `bool` are undefined if the `char` is not `0` or `1`, so sanitizers/fuzzers will crash. The issue has been patched in GitHub commit `1be74370327`. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1, TensorFlow 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. |
Affected by 22 other vulnerabilities. |
|
VCID-s15s-j2ys-cucy
Aliases: CVE-2022-41883 GHSA-w58w-79xv-6vcj |
Out of bounds segmentation fault due to unequal op inputs in Tensorflow |
Affected by 22 other vulnerabilities. |
|
VCID-se4m-gfvh-sbds
Aliases: CVE-2022-41890 GHSA-h246-cgh4-7475 |
TensorFlow is an open source platform for machine learning. If `BCast::ToShape` is given input larger than an `int32`, it will crash, despite being supposed to handle up to an `int64`. An example can be seen in `tf.experimental.numpy.outer` by passing in large input to the input `b`. We have patched the issue in GitHub commit 8310bf8dd188ff780e7fc53245058215a05bdbe5. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. |
Affected by 22 other vulnerabilities. |
|
VCID-skd4-mkp3-ukef
Aliases: CVE-2022-41880 GHSA-8w5g-3wcv-9g2j |
TensorFlow is an open source platform for machine learning. When the `BaseCandidateSamplerOp` function receives a value in `true_classes` larger than `range_max`, a heap oob read occurs. We have patched the issue in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. |
Affected by 22 other vulnerabilities. |
|
VCID-tn91-effk-ukcs
Aliases: CVE-2022-41898 GHSA-hq7g-wwwp-q46h |
TensorFlow is an open source platform for machine learning. If `SparseFillEmptyRowsGrad` is given empty inputs, TensorFlow will crash. We have patched the issue in GitHub commit af4a6a3c8b95022c351edae94560acc61253a1b8. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. |
Affected by 22 other vulnerabilities. |
|
VCID-unkw-ckgc-yqgv
Aliases: CVE-2022-41897 GHSA-f2w8-jw48-fr7j |
TensorFlow is an open source platform for machine learning. If `FractionMaxPoolGrad` is given outsize inputs `row_pooling_sequence` and `col_pooling_sequence`, TensorFlow will crash. We have patched the issue in GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. |
Affected by 22 other vulnerabilities. |
|
VCID-v1bb-9jk5-9kfw
Aliases: CVE-2023-25675 GHSA-7x4v-9gxg-9hwj |
Affected by 1 other vulnerability. |
|
|
VCID-ve91-saat-hkeb
Aliases: CVE-2023-25666 GHSA-f637-vh3r-vfh2 |
Affected by 1 other vulnerability. |
|
|
VCID-x2kn-8qsj-pbcs
Aliases: CVE-2022-41909 GHSA-rjx6-v474-2ch9 |
TensorFlow is an open source platform for machine learning. An input `encoded` that is not a valid `CompositeTensorVariant` tensor will trigger a segfault in `tf.raw_ops.CompositeTensorVariantToComponents`. We have patched the issue in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and 660ce5a89eb6766834bdc303d2ab3902aef99d3d. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. |
Affected by 22 other vulnerabilities. |
|
VCID-xcqn-waa9-bkc3
Aliases: CVE-2022-41907 GHSA-368v-7v32-52fx |
TensorFlow is an open source platform for machine learning. When `tf.raw_ops.ResizeNearestNeighborGrad` is given a large `size` input, it overflows. We have patched the issue in GitHub commit 00c821af032ba9e5f5fa3fe14690c8d28a657624. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. |
Affected by 22 other vulnerabilities. |
|
VCID-xcst-tzxn-zfhm
Aliases: CVE-2023-25676 GHSA-6wfh-89q8-44jq |
Affected by 1 other vulnerability. |
|
|
VCID-xdz6-dgwj-sbgz
Aliases: CVE-2022-41893 GHSA-67pf-62xr-q35m |
TensorFlow is an open source platform for machine learning. If `tf.raw_ops.TensorListResize` is given a nonscalar value for input `size`, it results `CHECK` fail which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. |
Affected by 22 other vulnerabilities. |
|
VCID-xvbp-vvex-wqhd
Aliases: CVE-2023-25661 GHSA-fxgc-95xx-grvq |
TensorFlow is an Open Source Machine Learning Framework. In versions prior to 2.11.1 a malicious invalid input crashes a tensorflow model (Check Failed) and can be used to trigger a denial of service attack. A proof of concept can be constructed with the `Convolution3DTranspose` function. This Convolution3DTranspose layer is a very common API in modern neural networks. The ML models containing such vulnerable components could be deployed in ML applications or as cloud services. This failure could be potentially used to trigger a denial of service attack on ML cloud services. An attacker must have privilege to provide input to a `Convolution3DTranspose` call. This issue has been patched and users are advised to upgrade to version 2.11.1. There are no known workarounds for this vulnerability. |
Affected by 1 other vulnerability. |
|
VCID-yj7a-18fe-myhb
Aliases: CVE-2022-41887 GHSA-8fvv-46hw-vpg3 |
TensorFlow is an open source platform for machine learning. `tf.keras.losses.poisson` receives a `y_pred` and `y_true` that are passed through `functor::mul` in `BinaryOp`. If the resulting dimensions overflow an `int32`, TensorFlow will crash due to a size mismatch during broadcast assignment. We have patched the issue in GitHub commit c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1 and 2.9.3, as these are also affected and still in supported range. However, we will not cherrypick this commit into TensorFlow 2.8.x, as it depends on Eigen behavior that changed between 2.8 and 2.9. |
Affected by 22 other vulnerabilities. |
|
VCID-yjzz-juse-wydc
Aliases: CVE-2022-41899 GHSA-27rc-728f-x5w2 |
TensorFlow is an open source platform for machine learning. Inputs `dense_features` or `example_state_data` not of rank 2 will trigger a `CHECK` fail in `SdcaOptimizer`. We have patched the issue in GitHub commit 80ff197d03db2a70c6a111f97dcdacad1b0babfa. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. |
Affected by 22 other vulnerabilities. |
|
VCID-zg4x-t8ft-x3fh
Aliases: CVE-2022-41895 GHSA-gq2j-cr96-gvqx |
`MirrorPadGrad` heap out of bounds read |
Affected by 22 other vulnerabilities. |
|
VCID-zpcr-vst7-v3e6
Aliases: CVE-2023-25671 GHSA-j5w9-hmfh-4cr6 |
Affected by 1 other vulnerability. |
|
|
VCID-zpxn-zz7d-k7d5
Aliases: CVE-2023-25659 GHSA-93vr-9q9m-pj8p |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||