Vulnerability CVE-2022-21725

Vulnerability CVE-2022-21725

Published: 2022-02-03

Description:

Tensorflow is an Open Source Machine Learning Framework. The estimator for the cost of some convolution operations can be made to execute a division by 0. The function fails to check that the stride argument is strictly positive. Hence, the fix is to add a check for the stride argument to ensure it is valid. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Type:

CWE-369

(Divide By Zero)

CVSS2 => (AV:N/AC:L/Au:S/C:N/I:N/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
4/10	2.9/10	8/10

Exploit range	Attack complexity	Authentication
Remote	Low	Single time
Confidentiality impact	Integrity impact	Availability impact
None	None	Partial

Affected software
Google -> Tensorflow

References:

https://github.com/tensorflow/tensorflow/blob/ffa202a17ab7a4a10182b746d230ea66f021fe16/tensorflow/core/grappler/costs/op_level_cost_estimator.cc#L189-L198

https://github.com/tensorflow/tensorflow/commit/3218043d6d3a019756607643cf65574fbfef5d7a

https://github.com/tensorflow/tensorflow/security/advisories/GHSA-v3f7-j968-4h5f

Vulnerability CVE-2022-21725

CWE-369

CVSS2 => (AV:N/AC:L/Au:S/C:N/I:N/A:P)

4/10

2.9/10

8/10

Remote

Low

Single time

None

None

Partial

Affected software

References: