CVE-2022-23566

Description

Tensorflow is an Open Source Machine Learning Framework. TensorFlow is vulnerable to a heap OOB write in `Grappler`. The `set_output` function writes to an array at the specified index. Hence, this gives a malicious user a write primitive. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

How to fix CVE-2022-23566

To remediate CVE-2022-23566, upgrade the affected package to a fixed version below.

• —upgrade to 2.5.3 or later
• —upgrade to 2.5.3 or later
• —upgrade to 2.5.3 or later
• —upgrade to 97282c6d0d34476b6ba033f961590b783fa184cd or later
• —upgrade to 2.5.3 or later
• —upgrade to 97282c6d0d34476b6ba033f961590b783fa184cd or later

Is CVE-2022-23566 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• from 0, < 2.5.3, >= 2.6.0, < 2.6.3, >= 2.7.0, < 2.7.1
• from 0, < 2.5.3
• from 0, < 2.5.3
• from 0, < 97282c6d0d34476b6ba033f961590b783fa184cd | from 0, < 2.5.3, >= 2.6.0, < 2.6.3
• from 0, < 2.5.3
• from 0, < 97282c6d0d34476b6ba033f961590b783fa184cd | from 0, < 2.5.3, >= 2.6.0, < 2.6.3

CVSS scores

References (8)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23566
• PATCHgithub.com/tensorflow/tensorflow
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-75.yaml
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-130.yaml