CVE-2022-29198

Summary

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.SparseTensorToCSRSparseMatrix does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack. The code assumes dense_shape is a vector and indices is a matrix (as part of requirements for sparse tensors) but there is no validation for this. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Affected Software

VendorProductVersion RangeStatus
tensorflowtensorflow< 2.6.4affected
tensorflowtensorflow>= 2.7.0rc0, < 2.7.2affected
tensorflowtensorflow>= 2.8.0rc0, < 2.8.1affected
tensorflowtensorflow>= 2.9.0rc0, < 2.9.0affected

Weaknesses

  • CWE-20: CWE-20: Improper Input Validation

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References