CVE-2022-41888

MEDIUM

TensorFlow < 2.8.4 - Denial of Service via Invalid Scores Input in generate_bounding_box_proposals

Title source: llm

Description

TensorFlow is an open source platform for machine learning. When running on GPU, `tf.image.generate_bounding_box_proposals` receives a `scores` input that must be of rank 4 but is not checked. We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

References (3)

Core 3

Core References

Third Party Advisory

https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/image/generate_box_proposals_op.cu.cc

View Writeup ZIP pw:eip

Patch, Third Party Advisory

https://github.com/tensorflow/tensorflow/commit/cf35502463a88ca7185a99daa7031df60b3c1c98

View Patch ZIP pw:eip

Exploit, Patch, Third Party Advisory

https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6x99-gv2v-q76v

Scores

CVSS v3 4.8

EPSS 0.0044

EPSS Percentile 34.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (4)

google/tensorflow < 2.8.4

pypi/tensorflow 0 - 2.8.4PyPI

pypi/tensorflow-cpu 0 - 2.8.4PyPI

pypi/tensorflow-gpu 0 - 2.8.4PyPI

Published Nov 18, 2022

Tracked Since Feb 18, 2026