AI Threat Alert

CVE-2022-35937

CRITICAL
Published September 16, 2022

TensorFlow is an open source platform for machine learning. The `GatherNd` function takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to...

Full analysis pending. Showing NVD description excerpt.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
tensorflow pip No patch
tensorflow pip No patch
tensorflow pip No patch
tensorflow pip No patch
tensorflow pip No patch
tensorflow pip No patch

Severity & Risk

CVSS 3.1
9.1 / 10
EPSS
N/A
KEV Status
Not in KEV
Sophistication
N/A

Recommended Action

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. The `GatherNd` function takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read is triggered. This issue has been patched in GitHub commit 595a65a3e224a0362d7e68c2213acfc2b499a196. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Weaknesses (CWE)

CWE-125

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

Timeline

Published
September 16, 2022
Last Modified
November 21, 2024
First Seen
September 16, 2022
Back to Threat Feed