CVE-2022-23584

Description

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a use after free behavior when decoding PNG images. After `png::CommonFreeDecode(&decode)` gets called, the values of `decode.width` and `decode.height` are in an unspecified state. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

How to fix CVE-2022-23584

To remediate CVE-2022-23584, upgrade the affected package to a fixed version below.

• —upgrade to 2.5.3 or later
• —upgrade to 2.5.3 or later
• —upgrade to 2.5.3 or later
• —upgrade to e746adbfcfee15e9cfdb391ff746c765b99bdf9b or later
• —upgrade to 2.5.3 or later
• —upgrade to e746adbfcfee15e9cfdb391ff746c765b99bdf9b or later

Is CVE-2022-23584 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• from 0, < 2.5.3, >= 2.6.0, < 2.6.3, >= 2.7.0, < 2.7.1
• from 0, < 2.5.3
• from 0, < 2.5.3
• from 0, < e746adbfcfee15e9cfdb391ff746c765b99bdf9b | from 0, < 2.5.3, >= 2.6.0, < 2.6.3
• from 0, < 2.5.3
• from 0, < e746adbfcfee15e9cfdb391ff746c765b99bdf9b | from 0, < 2.5.3, >= 2.6.0, < 2.6.3

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23584
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-93.yaml
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-148.yaml
• WEBgithub.com/tensorflow/tensorflow