| Vulnerability Name: | CVE-2022-29212 (CCN-227111) | ||||||||||||
| Assigned: | 2022-05-17 | ||||||||||||
| Published: | 2022-05-17 | ||||||||||||
| Updated: | 2022-06-03 | ||||||||||||
| Summary: | TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, certain TFLite models that were created using TFLite model converter would crash when loaded in the TFLite interpreter. The culprit is that during quantization the scale of values could be greater than 1 but code was always assuming sub-unit scaling. Thus, since code was calling `QuantizeMultiplierSmallerThanOneExp`, the `TFLITE_CHECK_LT` assertion would trigger and abort the process. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue. | ||||||||||||
| CVSS v3 Severity: | 5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) 4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P)
| ||||||||||||
| Vulnerability Type: | CWE-20 | ||||||||||||
| Vulnerability Consequences: | Denial of Service | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2022-29212 Source: XF Type: UNKNOWN tensorflow-cve202229212-dos(227111) Source: MISC Type: Third Party Advisory https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/lite/kernels/internal/quantization_util.cc#L114-L123 Source: MISC Type: Patch, Third Party Advisory https://github.com/tensorflow/tensorflow/commit/a989426ee1346693cc015792f11d715f6944f2b8 Source: MISC Type: Exploit, Issue Tracking, Third Party Advisory https://github.com/tensorflow/tensorflow/issues/43661 Source: MISC Type: Release Notes, Third Party Advisory https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4 Source: MISC Type: Release Notes, Third Party Advisory https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2 Source: MISC Type: Release Notes, Third Party Advisory https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1 Source: MISC Type: Release Notes, Third Party Advisory https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0 Source: CCN Type: TensorFlow GIT Repository Core dump when loading TFLite models with quantization Source: CONFIRM Type: Exploit, Patch, Third Party Advisory https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8wwm-6264-x792 Source: CCN Type: IBM Security Bulletin 6598705 (Watson Discovery) IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in TensorFlow Source: CCN Type: IBM Security Bulletin 6988959 (Maximo Application Suite) Tensorflow is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component Source: CCN Type: Mend Vulnerability Database CVE-2022-29212 Source: CCN Type: TensorFlow Web site TensorFlow | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||