Vulnerabilities > CVE-2022-23588 - Reachable Assertion vulnerability in Google Tensorflow

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

google

CWE-617

NVD

Published: 2022-02-04

Updated: 2022-02-10

Summary

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a `SavedModel` such that Grappler optimizer would attempt to build a tensor using a reference `dtype`. This would result in a crash due to a `CHECK`-fail in the `Tensor` constructor as reference types are not allowed. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Vulnerable Configurations

Part	Description	Count
Application	Google Google Tensorflow 2.7.0 Google Tensorflow - Google Tensorflow 0.1.7 Google Tensorflow 0.5.0 Google Tensorflow 0.6.0 Google Tensorflow 0.7.0 Google Tensorflow 0.7.1 Google Tensorflow 0.8.0 Google Tensorflow 0.9.0 Google Tensorflow 0.10.0 Google Tensorflow 0.11.0 Google Tensorflow 0.12.0 Google Tensorflow 0.12.1 Google Tensorflow 1.0.0 Google Tensorflow 1.0.1 Google Tensorflow 1.1.0 Google Tensorflow 1.2.0 Google Tensorflow 1.2.1 Google Tensorflow 1.3.0 Google Tensorflow 1.3.1 Google Tensorflow 1.4.0 Google Tensorflow 1.4.1 Google Tensorflow 1.5.0 Google Tensorflow 1.5.1 Google Tensorflow 1.6.0 Google Tensorflow 1.7.0 Google Tensorflow 1.7.1 Google Tensorflow 1.8.0 Google Tensorflow 1.9.0 Google Tensorflow 1.10.0 Google Tensorflow 1.10.1 Google Tensorflow 1.11.0 Google Tensorflow 1.12.0 Google Tensorflow 1.12.1 Google Tensorflow 1.12.2 Google Tensorflow 1.12.3 Google Tensorflow 1.13.0 Google Tensorflow 1.13.1 Google Tensorflow 1.13.2 Google Tensorflow 1.14.0 Google Tensorflow 1.15.0 Google Tensorflow 1.15.2 Google Tensorflow 1.15.3 Google Tensorflow 1.15.4 Google Tensorflow 1.15.5 Google Tensorflow 2.0.0 Google Tensorflow 2.0.1 Google Tensorflow 2.0.2 Google Tensorflow 2.0.3 Google Tensorflow 2.0.4 Google Tensorflow 2.1.0 Google Tensorflow 2.1.1 Google Tensorflow 2.1.2 Google Tensorflow 2.1.3 Google Tensorflow 2.1.4 Google Tensorflow 2.2.0 Google Tensorflow 2.2.1 Google Tensorflow 2.2.2 Google Tensorflow 2.2.3 Google Tensorflow 2.3.0 Google Tensorflow 2.3.1 Google Tensorflow 2.3.2 Google Tensorflow 2.3.3 Google Tensorflow 2.3.4 Google Tensorflow 2.4.0 Google Tensorflow 2.4.1 Google Tensorflow 2.4.2 Google Tensorflow 2.4.3 Google Tensorflow 2.4.4 Google Tensorflow 2.5.0 Google Tensorflow 2.5.1 Google Tensorflow 2.5.2 Google Tensorflow 2.6.0 Google Tensorflow 2.6.1 Google Tensorflow 2.6.2	403

Common Weakness Enumeration (CWE)

CWE-617 - Reachable Assertion

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References