First published: Fri Nov 18 2022(Updated: )
TensorFlow is an open source platform for machine learning. When running on GPU, `tf.image.generate_bounding_box_proposals` receives a `scores` input that must be of rank 4 but is not checked. We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Google TensorFlow | <2.8.4 | |
Google TensorFlow | >=2.9.0<2.9.3 | |
Google TensorFlow | >=2.10.0<2.10.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-41888 is a vulnerability in TensorFlow where the `tf.image.generate_bounding_box_proposals` function does not check the rank of the `scores` input when running on GPU.
The severity of CVE-2022-41888 is high, with a severity CVSS score of 7.5.
CVE-2022-41888 affects Google TensorFlow versions up to and including 2.8.4, versions 2.9.0 through 2.9.3, and versions 2.10.0 through 2.10.1.
The issue has been patched in the GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. You should update your TensorFlow installation to the latest patched version to fix the vulnerability.
The CWE ID for CVE-2022-41888 is CWE-20, which represents improper input validation.