Bitnami package
tensorflow
pkg:bitnami/tensorflow
Vulnerabilities (423)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-23568 | — | < 2.5.3 | 2.5.3 | Feb 3, 2022 | Tensorflow is an Open Source Machine Learning Framework. The implementation of `AddManySparseToTensorsMap` is vulnerable to an integer overflow which results in a `CHECK`-fail when building new `TensorShape` objects (so, an assert failure based denial of service). We are missing | ||
| CVE-2022-21731 | — | < 2.5.3 | 2.5.3 | Feb 3, 2022 | Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `ConcatV2` can be used to trigger a denial of service attack via a segfault caused by a type confusion. The `axis` argument is translated into `concat_dim` in the `ConcatShapeHelper | ||
| CVE-2022-21733 | — | < 2.5.3 | 2.5.3 | Feb 3, 2022 | Tensorflow is an Open Source Machine Learning Framework. The implementation of `StringNGrams` can be used to trigger a denial of service attack by causing an out of memory condition after an integer overflow. We are missing a validation on `pad_witdh` and that result in computing | ||
| CVE-2022-21732 | — | < 2.5.3 | 2.5.3 | Feb 3, 2022 | Tensorflow is an Open Source Machine Learning Framework. The implementation of `ThreadPoolHandle` can be used to trigger a denial of service attack by allocating too much memory. This is because the `num_threads` argument is only checked to not be negative, but there is no upper | ||
| CVE-2022-21727 | — | < 2.5.3 | 2.5.3 | Feb 3, 2022 | Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulnerable to an integer overflow weakness. The `axis` argument can be `-1` (the default value for the optional argument) or any other positive value at most the num | ||
| CVE-2022-21726 | — | < 2.5.3 | 2.5.3 | Feb 3, 2022 | Tensorflow is an Open Source Machine Learning Framework. The implementation of `Dequantize` does not fully validate the value of `axis` and can result in heap OOB accesses. The `axis` argument can be `-1` (the default value for the optional argument) or any other positive value a | ||
| CVE-2022-21728 | — | < 2.5.3 | 2.5.3 | Feb 3, 2022 | Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `ReverseSequence` does not fully validate the value of `batch_dim` and can result in a heap OOB read. There is a check to make sure the value of `batch_dim` does not go over the ran | ||
| CVE-2022-21730 | — | < 2.5.3 | 2.5.3 | Feb 3, 2022 | Tensorflow is an Open Source Machine Learning Framework. The implementation of `FractionalAvgPoolGrad` does not consider cases where the input tensors are invalid allowing an attacker to read from outside of bounds of heap. The fix will be included in TensorFlow 2.8.0. We will al | ||
| CVE-2021-41227 | — | >= 2.4.0, < 2.4.4 | 2.4.4 | Nov 5, 2021 | TensorFlow is an open source platform for machine learning. In affected versions the `ImmutableConst` operation in TensorFlow can be tricked into reading arbitrary memory contents. This is because the `tstring` TensorFlow string class has a special case for memory mapped strings | ||
| CVE-2021-41225 | — | >= 2.4.0, < 2.4.4 | 2.4.4 | Nov 5, 2021 | TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's Grappler optimizer has a use of unitialized variable. If the `train_nodes` vector (obtained from the saved model that gets optimized) does not contain a `Dequeue` node, then `dequeue_nod | ||
| CVE-2021-41222 | — | >= 2.4.0, < 2.4.4 | 2.4.4 | Nov 5, 2021 | TensorFlow is an open source platform for machine learning. In affected versions the implementation of `SplitV` can trigger a segfault is an attacker supplies negative arguments. This occurs whenever `size_splits` contains more than one value and at least one value is negative. T | ||
| CVE-2021-41228 | — | >= 2.4.0, < 2.4.4 | 2.4.4 | Nov 5, 2021 | TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's `saved_model_cli` tool is vulnerable to a code injection as it calls `eval` on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI too | ||
| CVE-2021-41220 | — | >= 2.6.0, < 2.6.1 | 2.6.1 | Nov 5, 2021 | TensorFlow is an open source platform for machine learning. In affected versions the async implementation of `CollectiveReduceV2` suffers from a memory leak and a use after free. This occurs due to the asynchronous computation and the fact that objects that have been `std::move() | ||
| CVE-2021-41221 | — | >= 2.4.0, < 2.4.4 | 2.4.4 | Nov 5, 2021 | TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for the `Cudnn*` operations in TensorFlow can be tricked into accessing invalid memory, via a heap buffer overflow. This occurs because the ranks of the `input`, `input_h` an | ||
| CVE-2021-41216 | — | >= 2.4.0, < 2.4.4 | 2.4.4 | Nov 5, 2021 | TensorFlow is an open source platform for machine learning. In affected versions the shape inference function for `Transpose` is vulnerable to a heap buffer overflow. This occurs whenever `perm` contains negative elements. The shape inference function does not validate that the i | ||
| CVE-2021-41213 | — | >= 2.4.0, < 2.4.4 | 2.4.4 | Nov 5, 2021 | TensorFlow is an open source platform for machine learning. In affected versions the code behind `tf.function` API can be made to deadlock when two `tf.function` decorated Python functions are mutually recursive. This occurs due to using a non-reentrant `Lock` Python object. Load | ||
| CVE-2021-41218 | — | >= 2.4.0, < 2.4.4 | 2.4.4 | Nov 5, 2021 | TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for `AllToAll` can be made to execute a division by 0. This occurs whenever the `split_count` argument is 0. The fix will be included in TensorFlow 2.7.0. We will also cherry | ||
| CVE-2021-41206 | — | >= 2.4.0, < 2.4.4 | 2.4.4 | Nov 5, 2021 | TensorFlow is an open source platform for machine learning. In affected versions several TensorFlow operations are missing validation for the shapes of the tensor arguments involved in the call. Depending on the API, this can result in undefined behavior and segfault or `CHECK`-f | ||
| CVE-2021-41208 | — | >= 2.4.0, < 2.4.4 | 2.4.4 | Nov 5, 2021 | TensorFlow is an open source platform for machine learning. In affected versions the code for boosted trees in TensorFlow is still missing validation. As a result, attackers can trigger denial of service (via dereferencing `nullptr`s or via `CHECK`-failures) as well as abuse unde | ||
| CVE-2021-41207 | — | >= 2.4.0, < 2.4.4 | 2.4.4 | Nov 5, 2021 | TensorFlow is an open source platform for machine learning. In affected versions the implementation of `ParallelConcat` misses some input validation and can produce a division by 0. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2. |
- CVE-2022-23568Feb 3, 2022affected < 2.5.3fixed 2.5.3
Tensorflow is an Open Source Machine Learning Framework. The implementation of `AddManySparseToTensorsMap` is vulnerable to an integer overflow which results in a `CHECK`-fail when building new `TensorShape` objects (so, an assert failure based denial of service). We are missing
- CVE-2022-21731Feb 3, 2022affected < 2.5.3fixed 2.5.3
Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `ConcatV2` can be used to trigger a denial of service attack via a segfault caused by a type confusion. The `axis` argument is translated into `concat_dim` in the `ConcatShapeHelper
- CVE-2022-21733Feb 3, 2022affected < 2.5.3fixed 2.5.3
Tensorflow is an Open Source Machine Learning Framework. The implementation of `StringNGrams` can be used to trigger a denial of service attack by causing an out of memory condition after an integer overflow. We are missing a validation on `pad_witdh` and that result in computing
- CVE-2022-21732Feb 3, 2022affected < 2.5.3fixed 2.5.3
Tensorflow is an Open Source Machine Learning Framework. The implementation of `ThreadPoolHandle` can be used to trigger a denial of service attack by allocating too much memory. This is because the `num_threads` argument is only checked to not be negative, but there is no upper
- CVE-2022-21727Feb 3, 2022affected < 2.5.3fixed 2.5.3
Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulnerable to an integer overflow weakness. The `axis` argument can be `-1` (the default value for the optional argument) or any other positive value at most the num
- CVE-2022-21726Feb 3, 2022affected < 2.5.3fixed 2.5.3
Tensorflow is an Open Source Machine Learning Framework. The implementation of `Dequantize` does not fully validate the value of `axis` and can result in heap OOB accesses. The `axis` argument can be `-1` (the default value for the optional argument) or any other positive value a
- CVE-2022-21728Feb 3, 2022affected < 2.5.3fixed 2.5.3
Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `ReverseSequence` does not fully validate the value of `batch_dim` and can result in a heap OOB read. There is a check to make sure the value of `batch_dim` does not go over the ran
- CVE-2022-21730Feb 3, 2022affected < 2.5.3fixed 2.5.3
Tensorflow is an Open Source Machine Learning Framework. The implementation of `FractionalAvgPoolGrad` does not consider cases where the input tensors are invalid allowing an attacker to read from outside of bounds of heap. The fix will be included in TensorFlow 2.8.0. We will al
- CVE-2021-41227Nov 5, 2021affected >= 2.4.0, < 2.4.4fixed 2.4.4
TensorFlow is an open source platform for machine learning. In affected versions the `ImmutableConst` operation in TensorFlow can be tricked into reading arbitrary memory contents. This is because the `tstring` TensorFlow string class has a special case for memory mapped strings
- CVE-2021-41225Nov 5, 2021affected >= 2.4.0, < 2.4.4fixed 2.4.4
TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's Grappler optimizer has a use of unitialized variable. If the `train_nodes` vector (obtained from the saved model that gets optimized) does not contain a `Dequeue` node, then `dequeue_nod
- CVE-2021-41222Nov 5, 2021affected >= 2.4.0, < 2.4.4fixed 2.4.4
TensorFlow is an open source platform for machine learning. In affected versions the implementation of `SplitV` can trigger a segfault is an attacker supplies negative arguments. This occurs whenever `size_splits` contains more than one value and at least one value is negative. T
- CVE-2021-41228Nov 5, 2021affected >= 2.4.0, < 2.4.4fixed 2.4.4
TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's `saved_model_cli` tool is vulnerable to a code injection as it calls `eval` on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI too
- CVE-2021-41220Nov 5, 2021affected >= 2.6.0, < 2.6.1fixed 2.6.1
TensorFlow is an open source platform for machine learning. In affected versions the async implementation of `CollectiveReduceV2` suffers from a memory leak and a use after free. This occurs due to the asynchronous computation and the fact that objects that have been `std::move()
- CVE-2021-41221Nov 5, 2021affected >= 2.4.0, < 2.4.4fixed 2.4.4
TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for the `Cudnn*` operations in TensorFlow can be tricked into accessing invalid memory, via a heap buffer overflow. This occurs because the ranks of the `input`, `input_h` an
- CVE-2021-41216Nov 5, 2021affected >= 2.4.0, < 2.4.4fixed 2.4.4
TensorFlow is an open source platform for machine learning. In affected versions the shape inference function for `Transpose` is vulnerable to a heap buffer overflow. This occurs whenever `perm` contains negative elements. The shape inference function does not validate that the i
- CVE-2021-41213Nov 5, 2021affected >= 2.4.0, < 2.4.4fixed 2.4.4
TensorFlow is an open source platform for machine learning. In affected versions the code behind `tf.function` API can be made to deadlock when two `tf.function` decorated Python functions are mutually recursive. This occurs due to using a non-reentrant `Lock` Python object. Load
- CVE-2021-41218Nov 5, 2021affected >= 2.4.0, < 2.4.4fixed 2.4.4
TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for `AllToAll` can be made to execute a division by 0. This occurs whenever the `split_count` argument is 0. The fix will be included in TensorFlow 2.7.0. We will also cherry
- CVE-2021-41206Nov 5, 2021affected >= 2.4.0, < 2.4.4fixed 2.4.4
TensorFlow is an open source platform for machine learning. In affected versions several TensorFlow operations are missing validation for the shapes of the tensor arguments involved in the call. Depending on the API, this can result in undefined behavior and segfault or `CHECK`-f
- CVE-2021-41208Nov 5, 2021affected >= 2.4.0, < 2.4.4fixed 2.4.4
TensorFlow is an open source platform for machine learning. In affected versions the code for boosted trees in TensorFlow is still missing validation. As a result, attackers can trigger denial of service (via dereferencing `nullptr`s or via `CHECK`-failures) as well as abuse unde
- CVE-2021-41207Nov 5, 2021affected >= 2.4.0, < 2.4.4fixed 2.4.4
TensorFlow is an open source platform for machine learning. In affected versions the implementation of `ParallelConcat` misses some input validation and can produce a division by 0. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.
Page 10 of 22