tensorflow-cpu 2.10.1 vulnerabilities

Known vulnerabilities in the tensorflow-cpu package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Integer Overflow or Wraparound tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to the `array_ops.upper_bound` function. An attacker can cause a denial of service by providing input that is not a rank 2 tensor. How to fix Integer Overflow or Wraparound? Upgrade `tensorflow-cpu` to version 2.12.0 or higher.	[,2.12.0)
M Denial of Service (DoS) tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Denial of Service (DoS) due to a malicious invalid input with zero dimension, which crashes a TensorFlow model (Check Failed). Note: An attacker must have privilege to provide input to a `Convolution3DTranspose` call. How to fix Denial of Service (DoS)? Upgrade `tensorflow-cpu` to version 2.11.1 or higher.	[,2.11.1)
H Heap-based Buffer Overflow tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Heap-based Buffer Overflow. Attackers can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1. How to fix Heap-based Buffer Overflow? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H NULL Pointer Dereference tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to NULL Pointer Dereference when `SparseSparseMaximum` is given invalid sparse tensors as inputs. How to fix NULL Pointer Dereference? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H Denial of Service (DoS) tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Denial of Service (DoS) when running with XLA, `tf.raw_ops.ParallelConcat` segfaults with a nullptr dereference when given a parameter `shape` with rank that is not greater than zero. How to fix Denial of Service (DoS)? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H NULL Pointer Dereference tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to NULL Pointer Dereference due to a null pointer error in `RandomShuffle` with `XLA` enabled. How to fix NULL Pointer Dereference? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H Denial of Service (DoS) tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Denial of Service (DoS) due to a floating point exception in `TensorListSplit` with `XLA`. How to fix Denial of Service (DoS)? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H NULL Pointer Dereference tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to NULL Pointer Dereference. The function `tf.raw_ops.LookupTableImportV2` cannot handle scalars in the `values` parameter and gives a null pointer exception. How to fix NULL Pointer Dereference? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H Incorrect Comparison tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Incorrect Comparison. Constructing a `tflite` model with a paramater `filter_input_channel` of less than 1 gives a float pointer exception. How to fix Incorrect Comparison? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H Denial of Service (DoS) tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Denial of Service (DoS). When running with XLA, `tf.raw_ops.Bincount` segfaults when given a parameter `weights` that is neither the same shape as parameter `arr` nor a length-0 tensor. How to fix Denial of Service (DoS)? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H Buffer Overflow tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Buffer Overflow in `TAvgPoolGrad`. How to fix Buffer Overflow? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H Integer Overflow to Buffer Overflow tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Integer Overflow to Buffer Overflow when `2^31 <= num_frames * height * width * channels < 2^32`, for example Full HD screencast of at least 346 frames. How to fix Integer Overflow to Buffer Overflow? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H Integer Overflow or Wraparound tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Integer Overflow or Wraparound in `EditDistance`. A fix is included in TensorFlow version 2.12.0 and version 2.11.1. How to fix Integer Overflow or Wraparound? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H Out-of-Bounds tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Out-of-Bounds due to mismatched integer type sizes in `ValueMap::Manager::GetValueOrCreatePlaceholder`, because there is a bug with the `tfg-translate` call to `InitMlir`. How to fix Out-of-Bounds? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H Denial of Service (DoS) tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Denial of Service (DoS) due to a floating point exception if the stride and window size are not positive for `tf.raw_ops.AvgPoolGrad`. How to fix Denial of Service (DoS)? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H NULL Pointer Dereference tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to NULL Pointer Dereference. When `ctx->step_containter()` is a null ptr, the `Lookup` function will be executed with a null pointer. How to fix NULL Pointer Dereference? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H Denial of Service (DoS) tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Denial of Service (DoS). When the parameter `summarize` of `tf.raw_ops.Print` is zero, the new method `SummarizeArray<bool>` will reference to a nullptr, leading to a seg fault. How to fix Denial of Service (DoS)? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H Double Free tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Double Free. The `nn_ops.fractional_avg_pool_v2` and `nn_ops.fractional_max_pool_v2` functions require the first and fourth elements of their parameter `pooling_ratio` to be equal to 1.0, as pooling on batch and channel dimensions is not supported. How to fix Double Free? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
M NULL Pointer Dereference tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to NULL Pointer Dereference in `QuantizedMatMulWithBiasAndDequantize` with MKL enabled. How to fix NULL Pointer Dereference? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H Denial of Service (DoS) tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Denial of Service (DoS) due to a floating point exception in `AudioSpectrogram`. How to fix Denial of Service (DoS)? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H Out-of-bounds Read tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Out-of-bounds Read if the parameter `indices` for `DynamicStitch` does not match the shape of the parameter `data`. How to fix Out-of-bounds Read? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)
H Out-of-bounds Read tensorflow-cpu is a machine learning framework. Affected versions of this package are vulnerable to Out-of-bounds Read in `GRUBlockCellGrad`. How to fix Out-of-bounds Read? Upgrade `tensorflow-cpu` to version 2.11.1, 2.12.0 or higher.	[,2.11.1)[2.12.0rc0,2.12.0)

Vulnerability

Vulnerable Version

Integer Overflow or Wraparound

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to the array_ops.upper_bound function. An attacker can cause a denial of service by providing input that is not a rank 2 tensor.

How to fix Integer Overflow or Wraparound?

Upgrade tensorflow-cpu to version 2.12.0 or higher.

[,2.12.0)

Denial of Service (DoS)

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a malicious invalid input with zero dimension, which crashes a TensorFlow model (Check Failed).

Note: An attacker must have privilege to provide input to a Convolution3DTranspose call.

How to fix Denial of Service (DoS)?

Upgrade tensorflow-cpu to version 2.11.1 or higher.

[,2.11.1)

Heap-based Buffer Overflow

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow. Attackers can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.

How to fix Heap-based Buffer Overflow?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

NULL Pointer Dereference

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to NULL Pointer Dereference when SparseSparseMaximum is given invalid sparse tensors as inputs.

How to fix NULL Pointer Dereference?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

Denial of Service (DoS)

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Denial of Service (DoS) when running with XLA, tf.raw_ops.ParallelConcat segfaults with a nullptr dereference when given a parameter shape with rank that is not greater than zero.

How to fix Denial of Service (DoS)?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

NULL Pointer Dereference

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to NULL Pointer Dereference due to a null pointer error in RandomShuffle with XLA enabled.

How to fix NULL Pointer Dereference?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

Denial of Service (DoS)

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a floating point exception in TensorListSplit with XLA.

How to fix Denial of Service (DoS)?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

NULL Pointer Dereference

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to NULL Pointer Dereference. The function tf.raw_ops.LookupTableImportV2 cannot handle scalars in the values parameter and gives a null pointer exception.

How to fix NULL Pointer Dereference?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

Incorrect Comparison

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Incorrect Comparison. Constructing a tflite model with a paramater filter_input_channel of less than 1 gives a float pointer exception.

How to fix Incorrect Comparison?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

Denial of Service (DoS)

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Denial of Service (DoS). When running with XLA, tf.raw_ops.Bincount segfaults when given a parameter weights that is neither the same shape as parameter arr nor a length-0 tensor.

How to fix Denial of Service (DoS)?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

Buffer Overflow

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Buffer Overflow in TAvgPoolGrad.

How to fix Buffer Overflow?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

Integer Overflow to Buffer Overflow

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Integer Overflow to Buffer Overflow when 2^31 <= num_frames * height * width * channels < 2^32, for example Full HD screencast of at least 346 frames.

How to fix Integer Overflow to Buffer Overflow?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

Integer Overflow or Wraparound

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound in EditDistance. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

How to fix Integer Overflow or Wraparound?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

Out-of-Bounds

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Out-of-Bounds due to mismatched integer type sizes in ValueMap::Manager::GetValueOrCreatePlaceholder, because there is a bug with the tfg-translate call to InitMlir.

How to fix Out-of-Bounds?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

Denial of Service (DoS)

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a floating point exception if the stride and window size are not positive for tf.raw_ops.AvgPoolGrad.

How to fix Denial of Service (DoS)?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

NULL Pointer Dereference

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to NULL Pointer Dereference. When ctx->step_containter() is a null ptr, the Lookup function will be executed with a null pointer.

How to fix NULL Pointer Dereference?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

Denial of Service (DoS)

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Denial of Service (DoS). When the parameter summarize of tf.raw_ops.Print is zero, the new method SummarizeArray<bool> will reference to a nullptr, leading to a seg fault.

How to fix Denial of Service (DoS)?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

Double Free

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Double Free. The nn_ops.fractional_avg_pool_v2 and nn_ops.fractional_max_pool_v2 functions require the first and fourth elements of their parameter pooling_ratio to be equal to 1.0, as pooling on batch and channel dimensions is not supported.

How to fix Double Free?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

NULL Pointer Dereference

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to NULL Pointer Dereference in QuantizedMatMulWithBiasAndDequantize with MKL enabled.

How to fix NULL Pointer Dereference?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

Denial of Service (DoS)

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a floating point exception in AudioSpectrogram.

How to fix Denial of Service (DoS)?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

Out-of-bounds Read

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Out-of-bounds Read if the parameter indices for DynamicStitch does not match the shape of the parameter data.

How to fix Out-of-bounds Read?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

Out-of-bounds Read

tensorflow-cpu is a machine learning framework.

Affected versions of this package are vulnerable to Out-of-bounds Read in GRUBlockCellGrad.

How to fix Out-of-bounds Read?

Upgrade tensorflow-cpu to version 2.11.1, 2.12.0 or higher.

[,2.11.1)[2.12.0rc0,2.12.0)

tensorflow-cpu@2.10.1 vulnerabilities

TensorFlow is an open source machine learning framework for everyone.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?