CVE-2022-23590

Description

Tensorflow is an Open Source Machine Learning Framework. A `GraphDef` from a TensorFlow `SavedModel` can be maliciously altered to cause a TensorFlow process to crash due to encountering a `StatusOr` value that is an error and forcibly extracting the value from it. We have patched the issue in multiple GitHub commits and these will be included in TensorFlow 2.8.0 and TensorFlow 2.7.1, as both are affected.

How to fix CVE-2022-23590

To remediate CVE-2022-23590, upgrade the affected package to a fixed version below.

• —upgrade to 2.7.1 or later
• —upgrade to 2.7.1 or later
• —upgrade to 2.7.1 or later
• —upgrade to 955059813cc325dc1db5e2daa6221271406d4439 or later
• —upgrade to 2.7.1 or later
• —upgrade to 955059813cc325dc1db5e2daa6221271406d4439 or later

Is CVE-2022-23590 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• from 0, < 2.7.1
• from 0, < 2.7.1
• from 0, < 2.7.1
• from 0, < 955059813cc325dc1db5e2daa6221271406d4439 | from 0, < 2.7.1
• from 0, < 2.7.1
• from 0, < 955059813cc325dc1db5e2daa6221271406d4439 | from 0, < 2.7.1

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23590
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-99.yaml
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-154.yaml
• WEBgithub.com/tensorflow/tensorflow