CVE-2022-29216
Description
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, TensorFlow's saved_model_cli tool is vulnerable to a code injection. This can be used to open a reverse shell. This code path was maintained for compatibility reasons as the maintainers had several test cases where numpy expressions were used as arguments. However, given that the tool is always run manually, the impact of this is still not severe. The maintainers have now removed the safe=False argument, so all parsing is done without calling eval. The patch is available in versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | < 2.6.4 | 2.6.4 |
tensorflow-cpuPyPI | < 2.6.4 | 2.6.4 |
tensorflow-gpuPyPI | < 2.6.4 | 2.6.4 |
tensorflowPyPI | >= 2.7.0, < 2.7.2 | 2.7.2 |
tensorflowPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
tensorflow-cpuPyPI | >= 2.7.0, < 2.7.2 | 2.7.2 |
tensorflow-cpuPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
tensorflow-gpuPyPI | >= 2.7.0, < 2.7.2 | 2.7.2 |
tensorflow-gpuPyPI | >= 2.8.0, < 2.8.1 | 2.8.1 |
Affected products
5- osv-coords4 versions
< 2.6.4+ 3 more
- (no CPE)range: < 2.6.4
- (no CPE)range: < 2.6.4
- (no CPE)range: < 2.6.4
- (no CPE)range: < 2.6.4
- Range: < 2.6.4
Patches
Vulnerability mechanics
References
10- github.com/tensorflow/tensorflow/commit/8b202f08d52e8206af2bdb2112a62fafbc546ec7nvdPatchThird Party AdvisoryWEB
- github.com/tensorflow/tensorflow/commit/c5da7af048611aa29e9382371f0aed5018516cacnvdPatchThird Party AdvisoryWEB
- github.com/tensorflow/tensorflow/security/advisories/GHSA-75c9-jrh4-79mcnvdExploitPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-75c9-jrh4-79mcghsaADVISORY
- github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/python/tools/saved_model_cli.pynvdThird Party AdvisoryWEB
- github.com/tensorflow/tensorflow/releases/tag/v2.6.4nvdRelease NotesThird Party AdvisoryWEB
- github.com/tensorflow/tensorflow/releases/tag/v2.7.2nvdRelease NotesThird Party AdvisoryWEB
- github.com/tensorflow/tensorflow/releases/tag/v2.8.1nvdRelease NotesThird Party AdvisoryWEB
- github.com/tensorflow/tensorflow/releases/tag/v2.9.0nvdRelease NotesThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-29216ghsaADVISORY
News mentions
0No linked articles in our index yet.