AI Threat Alert
CVE-2022-23595
MEDIUMTensorflow is an Open Source Machine Learning Framework. When building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference. In the default scenario,...
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| tensorflow | pip | — | No patch |
| tensorflow | pip | — | No patch |
| tensorflow | pip | — | No patch |
Severity & Risk
Recommended Action
No patch available
Monitor for updates. Consider compensating controls or temporary mitigations.
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
Tensorflow is an Open Source Machine Learning Framework. When building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference. In the default scenario, all devices are allowed, so `flr->config_proto` is `nullptr`. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References
- github.com/tensorflow/tensorflow/blob/274df9b02330b790aa8de1cee164b70f72b9b244/tensorflow/compiler/jit/xla_platform_info.cc Exploit 3rd Party
- github.com/tensorflow/tensorflow/commit/e21af685e1828f7ca65038307df5cc06de4479e8 Patch 3rd Party
- github.com/tensorflow/tensorflow/security/advisories/GHSA-fpcp-9h7m-ffpx Patch 3rd Party
- github.com/tensorflow/tensorflow/blob/274df9b02330b790aa8de1cee164b70f72b9b244/tensorflow/compiler/jit/xla_platform_info.cc Exploit 3rd Party
- github.com/tensorflow/tensorflow/commit/e21af685e1828f7ca65038307df5cc06de4479e8 Patch 3rd Party
- github.com/tensorflow/tensorflow/security/advisories/GHSA-fpcp-9h7m-ffpx Patch 3rd Party