First published: Fri Nov 18 2022(Updated: )
TensorFlow is an open source platform for machine learning. If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. We have patched the issue in GitHub commit 2b56169c16e375c521a3bc8ea658811cc0793784. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Google TensorFlow | <2.8.4 | |
Google TensorFlow | >=2.9.0<2.9.3 | |
Google TensorFlow | =2.10.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-41884 is a vulnerability in TensorFlow, an open source platform for machine learning, that allows for the creation of a numpy array that triggers an error when one element is zero and the others sum to a large number.
The severity of CVE-2022-41884 is high with a severity value of 7.5.
CVE-2022-41884 affects Google TensorFlow versions up to 2.8.4, versions between 2.9.0 and 2.9.3 (inclusive), and version 2.10.0.
Yes, the vulnerability has been patched in the GitHub commit 2b56169c16e375c521a3bc8ea658811cc0793784.
You can find more information about CVE-2022-41884 in the following references: [GitHub Commit](https://github.com/tensorflow/tensorflow/commit/2b56169c16e375c521a3bc8ea658811cc0793784) and [GitHub Security Advisory](https://github.com/tensorflow/tensorflow/security/advisories/GHSA-jq6x-99hj-q636).