CVE-2022-23562
Integer overflow in Tensorflow
7.6
HIGH
CVSS 3.1
EPSS 0.36%
Description
Tensorflow is an Open Source Machine Learning Framework. The implementation of `Range` suffers from integer overflows. These can trigger undefined behavior or, in some scenarios, extremely large allocations. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
How to fix CVE-2022-23562
To remediate CVE-2022-23562, upgrade the affected package to a fixed version below.
- —upgrade to 2.5.3 or later
- —upgrade to 2.5.3 or later
- —upgrade to 2.5.3 or later
- —upgrade to f0147751fd5d2ff23251149ebad9af9f03010732 or later
- —upgrade to 2.5.3 or later
- —upgrade to f0147751fd5d2ff23251149ebad9af9f03010732 or later
Is CVE-2022-23562 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 2.5.3, >= 2.6.0, < 2.6.3, >= 2.7.0, < 2.7.1
- from 0, < 2.5.3
- from 0, < 2.5.3
- from 0, < f0147751fd5d2ff23251149ebad9af9f03010732 | from 0, < 2.5.3, >= 2.6.0, < 2.6.3
- from 0, < 2.5.3
- from 0, < f0147751fd5d2ff23251149ebad9af9f03010732 | from 0, < 2.5.3, >= 2.6.0, < 2.6.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H |