Skip to main content

Tensorflow CVE-2023-25671

HIGH
Out-of-bounds Write (CWE-787)
2023-03-25 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 25, 2023 - 00:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 59 pypi packages depend on tensorflow (50 direct, 10 indirect)
  • 1 pypi packages depend on tensorflow-cpu (0 direct, 1 indirect)

Ecosystem-wide dependent count for version 2.11.1 and other introduced versions.

DescriptionNVD

TensorFlow is an open source platform for machine learning. There is out-of-bounds access due to mismatched integer type sizes. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

AnalysisAI

TensorFlow is an open source platform for machine learning. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Technical ContextAI

This vulnerability is classified as Out-of-bounds Write (CWE-787), which allows attackers to write data beyond allocated buffer boundaries leading to code execution or crashes. TensorFlow is an open source platform for machine learning. There is out-of-bounds access due to mismatched integer type sizes. A fix is included in TensorFlow version 2.12.0 and version 2.11.1. Affected products include: Google Tensorflow. Version information: version 2.12.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate write boundaries, use memory-safe languages, enable compiler protections (ASLR, stack canaries).

CVE-2020-15196 CRITICAL POC
9.9 Sep 25

In Tensorflow version 2.3.0, the `SparseCountSparseOutput` and `RaggedCountSparseOutput` implementations don't validate

CVE-2023-25668 CRITICAL POC
9.8 Mar 25

TensorFlow is an open source platform for machine learning. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2022-41900 CRITICAL POC
9.8 Nov 18

TensorFlow is an open source platform for machine learning. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2020-15208 CRITICAL POC
9.8 Sep 25

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of

CVE-2020-15205 CRITICAL POC
9.8 Sep 25

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `data_splits` argument of `tf.raw_ops.StringNGr

CVE-2022-41880 CRITICAL POC
9.1 Nov 18

TensorFlow is an open source platform for machine learning. Rated critical severity (CVSS 9.1), this vulnerability is re

CVE-2020-15207 CRITICAL POC
9.0 Sep 25

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mimic Python's indexing with negative value

CVE-2020-15202 CRITICAL POC
9.0 Sep 25

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `Shard` API in TensorFlow expects the last argu

CVE-2020-15195 HIGH POC
8.8 Sep 25

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the implementation of `SparseFillEmptyRowsGrad` use

CVE-2020-15212 HIGH POC
8.6 Sep 25

In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of hea

CVE-2022-41894 HIGH POC
8.1 Nov 18

TensorFlow is an open source platform for machine learning. Rated high severity (CVSS 8.1), this vulnerability is remote

CVE-2020-15214 HIGH POC
8.1 Sep 25

In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger a write out bounds / segmentati

Share

CVE-2023-25671 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy