Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-35973 (GCVE-0-2022-35973)
Vulnerability from cvelistv5 – Published: 2022-09-16 21:00 – Updated: 2025-04-23 17:02
VLAI?
EPSS
Summary
TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
Severity ?
5.9 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tensorflow | tensorflow |
Affected:
< 2.7.2
Affected: >= 2.8.0, < 2.8.1 Affected: >= 2.9.0, < 2.9.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:59.641Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-35973",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:59:27.776793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:02:49.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tensorflow",
"vendor": "tensorflow",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.2"
},
{
"status": "affected",
"version": "\u003e= 2.8.0, \u003c 2.8.1"
},
{
"status": "affected",
"version": "\u003e= 2.9.0, \u003c 2.9.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-16T21:00:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48"
}
],
"source": {
"advisory": "GHSA-689c-r7h2-fv9v",
"discovery": "UNKNOWN"
},
"title": "Segfault in `QuantizedMatMul` in TensorFlow",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-35973",
"STATE": "PUBLIC",
"TITLE": "Segfault in `QuantizedMatMul` in TensorFlow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "tensorflow",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.2"
},
{
"version_value": "\u003e= 2.8.0, \u003c 2.8.1"
},
{
"version_value": "\u003e= 2.9.0, \u003c 2.9.1"
}
]
}
}
]
},
"vendor_name": "tensorflow"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v",
"refsource": "CONFIRM",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v"
},
{
"name": "https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48",
"refsource": "MISC",
"url": "https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48"
}
]
},
"source": {
"advisory": "GHSA-689c-r7h2-fv9v",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-35973",
"datePublished": "2022-09-16T21:00:14.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:02:49.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.7.0\", \"versionEndExcluding\": \"2.7.2\", \"matchCriteriaId\": \"C4DFBF2D-5283-42F6-8800-D653BFA5CE82\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.8.0\", \"versionEndExcluding\": \"2.8.1\", \"matchCriteriaId\": \"0F9D273D-02DC-441E-AA91-EAC8DEAA4B44\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.9.0\", \"versionEndExcluding\": \"2.9.1\", \"matchCriteriaId\": \"FE4F8A81-6CC2-4F7F-9602-C170FDD926E7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:google:tensorflow:2.10:rc0:*:*:*:*:*:*\", \"matchCriteriaId\": \"1DBFBCE2-0A01-4575-BE45-6775ABFB8B28\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:google:tensorflow:2.10:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"89806CF9-E423-4CA6-A01A-8175C260CB24\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:google:tensorflow:2.10:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"F2B80690-A257-4E16-BD27-9AE045BC56ED\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:google:tensorflow:2.10:rc3:*:*:*:*:*:*\", \"matchCriteriaId\": \"F335F9A4-5AB8-4E53-BC18-E01F7C653E5E\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.\"}, {\"lang\": \"es\", \"value\": \"TensorFlow es una plataforma de c\\u00f3digo abierto para el aprendizaje autom\\u00e1tico. Si \\\"QuantizedMatMul\\\" recibe una entrada no escalar para: \\\"min_a\\\", \\\"max_a\\\", \\\"min_b\\\", o \\\"max_b\\\" resulta en un segfault que puede ser usado para desencadenar un ataque de denegaci\\u00f3n de servicio. Hemos parcheado el problema en el commit de GitHub aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. La correcci\\u00f3n ser\\u00e1 incluida en TensorFlow versi\\u00f3n 2.10.0. Tambi\\u00e9n seleccionaremos este compromiso en TensorFlow versi\\u00f3n 2.9.1, TensorFlow versi\\u00f3n 2.8.1, y TensorFlow versi\\u00f3n 2.7.2, ya que estos tambi\\u00e9n est\\u00e1n afectados y todav\\u00eda est\\u00e1n en el rango admitido. No se presentan mitigaciones conocidas para este problema\"}]",
"id": "CVE-2022-35973",
"lastModified": "2024-11-21T07:12:05.223",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
"published": "2022-09-16T21:15:09.490",
"references": "[{\"url\": \"https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-35973\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-09-16T21:15:09.490\",\"lastModified\":\"2024-11-21T07:12:05.223\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.\"},{\"lang\":\"es\",\"value\":\"TensorFlow es una plataforma de c\u00f3digo abierto para el aprendizaje autom\u00e1tico. Si \\\"QuantizedMatMul\\\" recibe una entrada no escalar para: \\\"min_a\\\", \\\"max_a\\\", \\\"min_b\\\", o \\\"max_b\\\" resulta en un segfault que puede ser usado para desencadenar un ataque de denegaci\u00f3n de servicio. Hemos parcheado el problema en el commit de GitHub aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. La correcci\u00f3n ser\u00e1 incluida en TensorFlow versi\u00f3n 2.10.0. Tambi\u00e9n seleccionaremos este compromiso en TensorFlow versi\u00f3n 2.9.1, TensorFlow versi\u00f3n 2.8.1, y TensorFlow versi\u00f3n 2.7.2, ya que estos tambi\u00e9n est\u00e1n afectados y todav\u00eda est\u00e1n en el rango admitido. No se presentan mitigaciones conocidas para este problema\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.7.0\",\"versionEndExcluding\":\"2.7.2\",\"matchCriteriaId\":\"C4DFBF2D-5283-42F6-8800-D653BFA5CE82\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.8.0\",\"versionEndExcluding\":\"2.8.1\",\"matchCriteriaId\":\"0F9D273D-02DC-441E-AA91-EAC8DEAA4B44\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.9.0\",\"versionEndExcluding\":\"2.9.1\",\"matchCriteriaId\":\"FE4F8A81-6CC2-4F7F-9602-C170FDD926E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:tensorflow:2.10:rc0:*:*:*:*:*:*\",\"matchCriteriaId\":\"1DBFBCE2-0A01-4575-BE45-6775ABFB8B28\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:tensorflow:2.10:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"89806CF9-E423-4CA6-A01A-8175C260CB24\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:tensorflow:2.10:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"F2B80690-A257-4E16-BD27-9AE045BC56ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:tensorflow:2.10:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F335F9A4-5AB8-4E53-BC18-E01F7C653E5E\"}]}]}],\"references\":[{\"url\":\"https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T09:51:59.641Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-35973\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T13:59:27.776793Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T13:59:29.047Z\"}}], \"cna\": {\"title\": \"Segfault in `QuantizedMatMul` in TensorFlow\", \"source\": {\"advisory\": \"GHSA-689c-r7h2-fv9v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"tensorflow\", \"product\": \"tensorflow\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.7.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.8.0, \u003c 2.8.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.9.0, \u003c 2.9.1\"}]}], \"references\": [{\"url\": \"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-09-16T21:00:14.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, \"source\": {\"advisory\": \"GHSA-689c-r7h2-fv9v\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"\u003c 2.7.2\"}, {\"version_value\": \"\u003e= 2.8.0, \u003c 2.8.1\"}, {\"version_value\": \"\u003e= 2.9.0, \u003c 2.9.1\"}]}, \"product_name\": \"tensorflow\"}]}, \"vendor_name\": \"tensorflow\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v\", \"name\": \"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48\", \"name\": \"https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-20: Improper Input Validation\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-35973\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Segfault in `QuantizedMatMul` in TensorFlow\", \"ASSIGNER\": \"security-advisories@github.com\"}}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-35973\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T17:02:49.153Z\", \"dateReserved\": \"2022-07-15T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-09-16T21:00:14.000Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2022-35973
Vulnerability from fkie_nvd - Published: 2022-09-16 21:15 - Updated: 2024-11-21 07:12
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tensorflow | * | ||
| tensorflow | * | ||
| tensorflow | * | ||
| tensorflow | 2.10 | ||
| tensorflow | 2.10 | ||
| tensorflow | 2.10 | ||
| tensorflow | 2.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C4DFBF2D-5283-42F6-8800-D653BFA5CE82",
"versionEndExcluding": "2.7.2",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9D273D-02DC-441E-AA91-EAC8DEAA4B44",
"versionEndExcluding": "2.8.1",
"versionStartIncluding": "2.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FE4F8A81-6CC2-4F7F-9602-C170FDD926E7",
"versionEndExcluding": "2.9.1",
"versionStartIncluding": "2.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:tensorflow:2.10:rc0:*:*:*:*:*:*",
"matchCriteriaId": "1DBFBCE2-0A01-4575-BE45-6775ABFB8B28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:tensorflow:2.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89806CF9-E423-4CA6-A01A-8175C260CB24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:tensorflow:2.10:rc2:*:*:*:*:*:*",
"matchCriteriaId": "F2B80690-A257-4E16-BD27-9AE045BC56ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:tensorflow:2.10:rc3:*:*:*:*:*:*",
"matchCriteriaId": "F335F9A4-5AB8-4E53-BC18-E01F7C653E5E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue."
},
{
"lang": "es",
"value": "TensorFlow es una plataforma de c\u00f3digo abierto para el aprendizaje autom\u00e1tico. Si \"QuantizedMatMul\" recibe una entrada no escalar para: \"min_a\", \"max_a\", \"min_b\", o \"max_b\" resulta en un segfault que puede ser usado para desencadenar un ataque de denegaci\u00f3n de servicio. Hemos parcheado el problema en el commit de GitHub aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. La correcci\u00f3n ser\u00e1 incluida en TensorFlow versi\u00f3n 2.10.0. Tambi\u00e9n seleccionaremos este compromiso en TensorFlow versi\u00f3n 2.9.1, TensorFlow versi\u00f3n 2.8.1, y TensorFlow versi\u00f3n 2.7.2, ya que estos tambi\u00e9n est\u00e1n afectados y todav\u00eda est\u00e1n en el rango admitido. No se presentan mitigaciones conocidas para este problema"
}
],
"id": "CVE-2022-35973",
"lastModified": "2024-11-21T07:12:05.223",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-16T21:15:09.490",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GSD-2022-35973
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-35973",
"description": "TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"id": "GSD-2022-35973",
"references": [
"https://www.suse.com/security/cve/CVE-2022-35973.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-35973"
],
"details": "TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"id": "GSD-2022-35973",
"modified": "2023-12-13T01:19:33.833492Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-35973",
"STATE": "PUBLIC",
"TITLE": "Segfault in `QuantizedMatMul` in TensorFlow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "tensorflow",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.2"
},
{
"version_value": "\u003e= 2.8.0, \u003c 2.8.1"
},
{
"version_value": "\u003e= 2.9.0, \u003c 2.9.1"
}
]
}
}
]
},
"vendor_name": "tensorflow"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v",
"refsource": "CONFIRM",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v"
},
{
"name": "https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48",
"refsource": "MISC",
"url": "https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48"
}
]
},
"source": {
"advisory": "GHSA-689c-r7h2-fv9v",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c2.7.2||\u003e=2.8.0,\u003c2.8.1||\u003e=2.9.0,\u003c2.9.1",
"affected_versions": "All versions before 2.7.2, all versions starting from 2.8.0 before 2.8.1, all versions starting from 2.9.0 before 2.9.1",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2022-09-16",
"description": "TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"fixed_versions": [
"2.7.2",
"2.8.1",
"2.9.1"
],
"identifier": "CVE-2022-35973",
"identifiers": [
"GHSA-689c-r7h2-fv9v",
"CVE-2022-35973"
],
"not_impacted": "All versions starting from 2.7.2 before 2.8.0, all versions starting from 2.8.1 before 2.9.0, all versions starting from 2.9.1",
"package_slug": "pypi/tensorflow-cpu",
"pubdate": "2022-09-16",
"solution": "Upgrade to versions 2.7.2, 2.8.1, 2.9.1 or above.",
"title": "Improper Input Validation",
"urls": [
"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v",
"https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48",
"https://github.com/tensorflow/tensorflow/releases/tag/v2.10.0",
"https://github.com/advisories/GHSA-689c-r7h2-fv9v"
],
"uuid": "1a7f760d-7a20-41a2-9662-ab650a7b0c0d"
},
{
"affected_range": "\u003c2.7.2||\u003e=2.8.0,\u003c2.8.1||\u003e=2.9.0,\u003c2.9.1",
"affected_versions": "All versions before 2.7.2, all versions starting from 2.8.0 before 2.8.1, all versions starting from 2.9.0 before 2.9.1",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2022-09-16",
"description": "TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"fixed_versions": [
"2.7.2",
"2.8.1",
"2.9.1"
],
"identifier": "CVE-2022-35973",
"identifiers": [
"GHSA-689c-r7h2-fv9v",
"CVE-2022-35973"
],
"not_impacted": "All versions starting from 2.7.2 before 2.8.0, all versions starting from 2.8.1 before 2.9.0, all versions starting from 2.9.1",
"package_slug": "pypi/tensorflow-gpu",
"pubdate": "2022-09-16",
"solution": "Upgrade to versions 2.7.2, 2.8.1, 2.9.1 or above.",
"title": "Improper Input Validation",
"urls": [
"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v",
"https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48",
"https://github.com/tensorflow/tensorflow/releases/tag/v2.10.0",
"https://github.com/advisories/GHSA-689c-r7h2-fv9v"
],
"uuid": "ccbde0d4-b9f0-44dc-b4a9-dfad41788416"
},
{
"affected_range": "\u003e=2.7.0,\u003c2.7.2||\u003e=2.8.0,\u003c2.8.1||\u003e=2.9.0,\u003c2.9.1||==2.10",
"affected_versions": "All versions starting from 2.7.0 before 2.7.2, all versions starting from 2.8.0 before 2.8.1, all versions starting from 2.9.0 before 2.9.1, version 2.10",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-09-20",
"description": "TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"fixed_versions": [
"2.7.2",
"2.8.1",
"2.9.1"
],
"identifier": "CVE-2022-35973",
"identifiers": [
"CVE-2022-35973",
"GHSA-689c-r7h2-fv9v"
],
"not_impacted": "All versions before 2.7.0, all versions starting from 2.7.2 before 2.8.0, all versions starting from 2.8.1 before 2.9.0, all versions starting from 2.9.1 before 2.10, all versions after 2.10",
"package_slug": "pypi/tensorflow",
"pubdate": "2022-09-16",
"solution": "Upgrade to versions 2.7.2, 2.8.1, 2.9.1 or above.",
"title": "Improper Input Validation",
"urls": [
"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v",
"https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48",
"https://github.com/tensorflow/tensorflow/releases/tag/v2.10.0",
"https://github.com/advisories/GHSA-689c-r7h2-fv9v"
],
"uuid": "26596ccc-f415-43f7-8b18-8393999c420c"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.7.2",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.8.1",
"versionStartIncluding": "2.8.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:tensorflow:2.10:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:tensorflow:2.10:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:tensorflow:2.10:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:tensorflow:2.10:rc0:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.9.1",
"versionStartIncluding": "2.9.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-35973"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48"
},
{
"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2022-09-20T19:12Z",
"publishedDate": "2022-09-16T21:15Z"
}
}
}
OPENSUSE-SU-2024:12355-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
tensorflow-lite-2.10.0-1.1 on GA media
Notes
Title of the patch
tensorflow-lite-2.10.0-1.1 on GA media
Description of the patch
These are all security issues fixed in the tensorflow-lite-2.10.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-12355
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "tensorflow-lite-2.10.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the tensorflow-lite-2.10.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12355",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12355-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35934 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35934/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35935 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35935/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35937 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35937/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35938 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35938/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35939 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35939/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35940 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35940/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35941 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35941/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35952 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35952/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35959 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35959/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35960 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35960/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35963 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35963/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35964 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35964/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35965 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35965/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35966 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35966/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35967 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35967/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35968 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35968/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35969 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35969/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35970 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35970/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35971 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35971/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35972 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35972/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35973 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35973/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35974 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35974/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35979 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35979/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35981 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35981/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35982 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35982/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35983 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35983/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35984 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35984/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35985 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35985/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35986 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35986/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35987 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35987/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35988 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35988/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35989 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35989/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35990 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35990/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35991 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35991/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35992 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35992/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35993 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35993/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35994 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35994/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35995 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35995/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35996 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35996/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35997 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35997/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35998 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35998/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35999 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35999/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36000 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36000/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36001 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36001/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36002 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36002/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36003 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36003/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36004 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36004/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36005 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36005/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36011 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36011/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36012 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36012/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36013 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36013/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36014 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36014/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36015 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36015/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36016 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36016/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36017 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36017/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36018 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36018/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36019 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36019/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36026 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36026/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36027 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36027/"
}
],
"title": "tensorflow-lite-2.10.0-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12355-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "tensorflow-lite-2.10.0-1.1.aarch64",
"product": {
"name": "tensorflow-lite-2.10.0-1.1.aarch64",
"product_id": "tensorflow-lite-2.10.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "tensorflow-lite-devel-2.10.0-1.1.aarch64",
"product": {
"name": "tensorflow-lite-devel-2.10.0-1.1.aarch64",
"product_id": "tensorflow-lite-devel-2.10.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "tensorflow-lite-2.10.0-1.1.ppc64le",
"product": {
"name": "tensorflow-lite-2.10.0-1.1.ppc64le",
"product_id": "tensorflow-lite-2.10.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"product": {
"name": "tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"product_id": "tensorflow-lite-devel-2.10.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "tensorflow-lite-2.10.0-1.1.s390x",
"product": {
"name": "tensorflow-lite-2.10.0-1.1.s390x",
"product_id": "tensorflow-lite-2.10.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "tensorflow-lite-devel-2.10.0-1.1.s390x",
"product": {
"name": "tensorflow-lite-devel-2.10.0-1.1.s390x",
"product_id": "tensorflow-lite-devel-2.10.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "tensorflow-lite-2.10.0-1.1.x86_64",
"product": {
"name": "tensorflow-lite-2.10.0-1.1.x86_64",
"product_id": "tensorflow-lite-2.10.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "tensorflow-lite-devel-2.10.0-1.1.x86_64",
"product": {
"name": "tensorflow-lite-devel-2.10.0-1.1.x86_64",
"product_id": "tensorflow-lite-devel-2.10.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow-lite-2.10.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64"
},
"product_reference": "tensorflow-lite-2.10.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow-lite-2.10.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le"
},
"product_reference": "tensorflow-lite-2.10.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow-lite-2.10.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x"
},
"product_reference": "tensorflow-lite-2.10.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow-lite-2.10.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64"
},
"product_reference": "tensorflow-lite-2.10.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow-lite-devel-2.10.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64"
},
"product_reference": "tensorflow-lite-devel-2.10.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow-lite-devel-2.10.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le"
},
"product_reference": "tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow-lite-devel-2.10.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x"
},
"product_reference": "tensorflow-lite-devel-2.10.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow-lite-devel-2.10.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
},
"product_reference": "tensorflow-lite-devel-2.10.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-35934",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35934"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. The implementation of tf.reshape op in TensorFlow is vulnerable to a denial of service via CHECK-failure (assertion failure) caused by overflowing the number of elements in a tensor. This issue has been patched in GitHub commit 61f0f9b94df8c0411f0ad0ecc2fec2d3f3c33555. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35934",
"url": "https://www.suse.com/security/cve/CVE-2022-35934"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35934",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35934"
},
{
"cve": "CVE-2022-35935",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35935"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. The implementation of SobolSampleOp is vulnerable to a denial of service via CHECK-failure (assertion failure) caused by assuming `input(0)`, `input(1)`, and `input(2)` to be scalar. This issue has been patched in GitHub commit c65c67f88ad770662e8f191269a907bf2b94b1bf. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35935",
"url": "https://www.suse.com/security/cve/CVE-2022-35935"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35935",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35935"
},
{
"cve": "CVE-2022-35937",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35937"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. The `GatherNd` function takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read is triggered. This issue has been patched in GitHub commit 595a65a3e224a0362d7e68c2213acfc2b499a196. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35937",
"url": "https://www.suse.com/security/cve/CVE-2022-35937"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35937",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35937"
},
{
"cve": "CVE-2022-35938",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35938"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. The `GatherNd` function takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. This issue has been patched in GitHub commit 4142e47e9e31db481781b955ed3ff807a781b494. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35938",
"url": "https://www.suse.com/security/cve/CVE-2022-35938"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35938",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35938"
},
{
"cve": "CVE-2022-35939",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35939"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. The `ScatterNd` function takes an input argument that determines the indices of of the output tensor. An input index greater than the output tensor or less than zero will either write content at the wrong index or trigger a crash. We have patched the issue in GitHub commit b4d4b4cb019bd7240a52daa4ba61e3cc814f0384. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35939",
"url": "https://www.suse.com/security/cve/CVE-2022-35939"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35939",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35939"
},
{
"cve": "CVE-2022-35940",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35940"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. The `RaggedRangOp` function takes an argument `limits` that is eventually used to construct a `TensorShape` as an `int64`. If `limits` is a very large float, it can overflow when converted to an `int64`. This triggers an `InvalidArgument` but also throws an abort signal that crashes the program. We have patched the issue in GitHub commit 37cefa91bee4eace55715eeef43720b958a01192. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35940",
"url": "https://www.suse.com/security/cve/CVE-2022-35940"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35940",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35940"
},
{
"cve": "CVE-2022-35941",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35941"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. The `AvgPoolOp` function takes an argument `ksize` that must be positive but is not checked. A negative `ksize` can trigger a `CHECK` failure and crash the program. We have patched the issue in GitHub commit 3a6ac52664c6c095aa2b114e742b0aa17fdce78f. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds to this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35941",
"url": "https://www.suse.com/security/cve/CVE-2022-35941"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35941",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35941"
},
{
"cve": "CVE-2022-35952",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35952"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. The `UnbatchGradOp` function takes an argument `id` that is assumed to be a scalar. A nonscalar `id` can trigger a `CHECK` failure and crash the program. It also requires its argument `batch_index` to contain three times the number of elements as indicated in its `batch_index.dim_size(0)`. An incorrect `batch_index` can trigger a `CHECK` failure and crash the program. We have patched the issue in GitHub commit 5f945fc6409a3c1e90d6970c9292f805f6e6ddf2. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35952",
"url": "https://www.suse.com/security/cve/CVE-2022-35952"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35952",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35952"
},
{
"cve": "CVE-2022-35959",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35959"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. The implementation of `AvgPool3DGradOp` does not fully validate the input `orig_input_shape`. This results in an overflow that results in a `CHECK` failure which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 9178ac9d6389bdc54638ab913ea0e419234d14eb. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35959",
"url": "https://www.suse.com/security/cve/CVE-2022-35959"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35959",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35959"
},
{
"cve": "CVE-2022-35960",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35960"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. In `core/kernels/list_kernels.cc\u0027s TensorListReserve`, `num_elements` is assumed to be a tensor of size 1. When a `num_elements` of more than 1 element is provided, then `tf.raw_ops.TensorListReserve` fails the `CHECK_EQ` in `CheckIsAlignedAndSingleElement`. We have patched the issue in GitHub commit b5f6fbfba76576202b72119897561e3bd4f179c7. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35960",
"url": "https://www.suse.com/security/cve/CVE-2022-35960"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35960",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35960"
},
{
"cve": "CVE-2022-35963",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35963"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. The implementation of `FractionalAvgPoolGrad` does not fully validate the input `orig_input_tensor_shape`. This results in an overflow that results in a `CHECK` failure which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 03a659d7be9a1154fdf5eeac221e5950fec07dad. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35963",
"url": "https://www.suse.com/security/cve/CVE-2022-35963"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35963",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35963"
},
{
"cve": "CVE-2022-35964",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35964"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. The implementation of `BlockLSTMGradV2` does not fully validate its inputs. This results in a a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 2a458fc4866505be27c62f81474ecb2b870498fa. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35964",
"url": "https://www.suse.com/security/cve/CVE-2022-35964"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35964",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35964"
},
{
"cve": "CVE-2022-35965",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35965"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `LowerBound` or `UpperBound` is given an empty`sorted_inputs` input, it results in a `nullptr` dereference, leading to a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit bce3717eaef4f769019fd18e990464ca4a2efeea. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35965",
"url": "https://www.suse.com/security/cve/CVE-2022-35965"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35965",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35965"
},
{
"cve": "CVE-2022-35966",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35966"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `QuantizedAvgPool` is given `min_input` or `max_input` tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 7cdf9d4d2083b739ec81cfdace546b0c99f50622. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35966",
"url": "https://www.suse.com/security/cve/CVE-2022-35966"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35966",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35966"
},
{
"cve": "CVE-2022-35967",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35967"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `QuantizedAdd` is given `min_input` or `max_input` tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 49b3824d83af706df0ad07e4e677d88659756d89. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35967",
"url": "https://www.suse.com/security/cve/CVE-2022-35967"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35967",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35967"
},
{
"cve": "CVE-2022-35968",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35968"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. The implementation of `AvgPoolGrad` does not fully validate the input `orig_input_shape`. This results in a `CHECK` failure which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 3a6ac52664c6c095aa2b114e742b0aa17fdce78f. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35968",
"url": "https://www.suse.com/security/cve/CVE-2022-35968"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35968",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35968"
},
{
"cve": "CVE-2022-35969",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35969"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. The implementation of `Conv2DBackpropInput` requires `input_sizes` to be 4-dimensional. Otherwise, it gives a `CHECK` failure which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 50156d547b9a1da0144d7babe665cf690305b33c. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35969",
"url": "https://www.suse.com/security/cve/CVE-2022-35969"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35969",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35969"
},
{
"cve": "CVE-2022-35970",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35970"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `QuantizedInstanceNorm` is given `x_min` or `x_max` tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 785d67a78a1d533759fcd2f5e8d6ef778de849e0. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35970",
"url": "https://www.suse.com/security/cve/CVE-2022-35970"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35970",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35970"
},
{
"cve": "CVE-2022-35971",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35971"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `FakeQuantWithMinMaxVars` is given `min` or `max` tensors of a nonzero rank, it results in a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 785d67a78a1d533759fcd2f5e8d6ef778de849e0. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35971",
"url": "https://www.suse.com/security/cve/CVE-2022-35971"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35971",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35971"
},
{
"cve": "CVE-2022-35972",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35972"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `QuantizedBiasAdd` is given `min_input`, `max_input`, `min_bias`, `max_bias` tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 785d67a78a1d533759fcd2f5e8d6ef778de849e0. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35972",
"url": "https://www.suse.com/security/cve/CVE-2022-35972"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35972",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35972"
},
{
"cve": "CVE-2022-35973",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35973"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35973",
"url": "https://www.suse.com/security/cve/CVE-2022-35973"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35973",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35973"
},
{
"cve": "CVE-2022-35974",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35974"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `QuantizeDownAndShrinkRange` is given nonscalar inputs for `input_min` or `input_max`, it results in a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 73ad1815ebcfeb7c051f9c2f7ab5024380ca8613. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35974",
"url": "https://www.suse.com/security/cve/CVE-2022-35974"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35974",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35974"
},
{
"cve": "CVE-2022-35979",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35979"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `QuantizedRelu` or `QuantizedRelu6` are given nonscalar inputs for `min_features` or `max_features`, it results in a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 49b3824d83af706df0ad07e4e677d88659756d89. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35979",
"url": "https://www.suse.com/security/cve/CVE-2022-35979"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35979",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35979"
},
{
"cve": "CVE-2022-35981",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35981"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. `FractionalMaxPoolGrad` validates its inputs with `CHECK` failures instead of with returning errors. If it gets incorrectly sized inputs, the `CHECK` failure can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 8741e57d163a079db05a7107a7609af70931def4. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35981",
"url": "https://www.suse.com/security/cve/CVE-2022-35981"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35981",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35981"
},
{
"cve": "CVE-2022-35982",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35982"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `SparseBincount` is given inputs for `indices`, `values`, and `dense_shape` that do not make a valid sparse tensor, it results in a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 40adbe4dd15b582b0210dfbf40c243a62f5119fa. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35982",
"url": "https://www.suse.com/security/cve/CVE-2022-35982"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35982",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35982"
},
{
"cve": "CVE-2022-35983",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35983"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `Save` or `SaveSlices` is run over tensors of an unsupported `dtype`, it results in a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 5dd7b86b84a864b834c6fa3d7f9f51c87efa99d4. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35983",
"url": "https://www.suse.com/security/cve/CVE-2022-35983"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35983",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35983"
},
{
"cve": "CVE-2022-35984",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35984"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. `ParameterizedTruncatedNormal` assumes `shape` is of type `int32`. A valid `shape` of type `int64` results in a mismatched type `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 72180be03447a10810edca700cbc9af690dfeb51. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35984",
"url": "https://www.suse.com/security/cve/CVE-2022-35984"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35984",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35984"
},
{
"cve": "CVE-2022-35985",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35985"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `LRNGrad` is given an `output_image` input tensor that is not 4-D, it results in a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit bd90b3efab4ec958b228cd7cfe9125be1c0cf255. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35985",
"url": "https://www.suse.com/security/cve/CVE-2022-35985"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35985",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35985"
},
{
"cve": "CVE-2022-35986",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35986"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `RaggedBincount` is given an empty input tensor `splits`, it results in a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 7a4591fd4f065f4fa903593bc39b2f79530a74b8. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35986",
"url": "https://www.suse.com/security/cve/CVE-2022-35986"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35986",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35986"
},
{
"cve": "CVE-2022-35987",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35987"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. `DenseBincount` assumes its input tensor `weights` to either have the same shape as its input tensor `input` or to be length-0. A different `weights` shape will trigger a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit bf4c14353c2328636a18bfad1e151052c81d5f43. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35987",
"url": "https://www.suse.com/security/cve/CVE-2022-35987"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35987",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35987"
},
{
"cve": "CVE-2022-35988",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35988"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `tf.linalg.matrix_rank` receives an empty input `a`, the GPU kernel gives a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit c55b476aa0e0bd4ee99d0f3ad18d9d706cd1260a. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35988",
"url": "https://www.suse.com/security/cve/CVE-2022-35988"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35988",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35988"
},
{
"cve": "CVE-2022-35989",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35989"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `MaxPool` receives a window size input array `ksize` with dimensions greater than its input tensor `input`, the GPU kernel gives a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 32d7bd3defd134f21a4e344c8dfd40099aaf6b18. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35989",
"url": "https://www.suse.com/security/cve/CVE-2022-35989"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35989",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35989"
},
{
"cve": "CVE-2022-35990",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35990"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `tf.quantization.fake_quant_with_min_max_vars_per_channel_gradient` receives input `min` or `max` of rank other than 1, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit f3cf67ac5705f4f04721d15e485e192bb319feed. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35990",
"url": "https://www.suse.com/security/cve/CVE-2022-35990"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35990",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35990"
},
{
"cve": "CVE-2022-35991",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35991"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `TensorListScatter` and `TensorListScatterV2` receive an `element_shape` of a rank greater than one, they give a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit bb03fdf4aae944ab2e4b35c7daa051068a8b7f61. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35991",
"url": "https://www.suse.com/security/cve/CVE-2022-35991"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35991",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35991"
},
{
"cve": "CVE-2022-35992",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35992"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `TensorListFromTensor` receives an `element_shape` of a rank greater than one, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit 3db59a042a38f4338aa207922fa2f476e000a6ee. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35992",
"url": "https://www.suse.com/security/cve/CVE-2022-35992"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35992",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35992"
},
{
"cve": "CVE-2022-35993",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35993"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `SetSize` receives an input `set_shape` that is not a 1D tensor, it gives a `CHECK` fails that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit cf70b79d2662c0d3c6af74583641e345fc939467. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35993",
"url": "https://www.suse.com/security/cve/CVE-2022-35993"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35993",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35993"
},
{
"cve": "CVE-2022-35994",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35994"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `CollectiveGather` receives an scalar input `input`, it gives a `CHECK` fails that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit c1f491817dec39a26be3c574e86a88c30f3c4770. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35994",
"url": "https://www.suse.com/security/cve/CVE-2022-35994"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35994",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35994"
},
{
"cve": "CVE-2022-35995",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35995"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `AudioSummaryV2` receives an input `sample_rate` with more than one element, it gives a `CHECK` fails that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit bf6b45244992e2ee543c258e519489659c99fb7f. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35995",
"url": "https://www.suse.com/security/cve/CVE-2022-35995"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35995",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35995"
},
{
"cve": "CVE-2022-35996",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35996"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `Conv2D` is given empty `input` and the `filter` and `padding` sizes are valid, the output is all-zeros. This causes division-by-zero floating point exceptions that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 611d80db29dd7b0cfb755772c69d60ae5bca05f9. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35996",
"url": "https://www.suse.com/security/cve/CVE-2022-35996"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35996",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35996"
},
{
"cve": "CVE-2022-35997",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35997"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `tf.sparse.cross` receives an input `separator` that is not a scalar, it gives a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 83dcb4dbfa094e33db084e97c4d0531a559e0ebf. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35997",
"url": "https://www.suse.com/security/cve/CVE-2022-35997"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35997",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35997"
},
{
"cve": "CVE-2022-35998",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35998"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `EmptyTensorList` receives an input `element_shape` with more than one dimension, it gives a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit c8ba76d48567aed347508e0552a257641931024d. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35998",
"url": "https://www.suse.com/security/cve/CVE-2022-35998"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35998",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35998"
},
{
"cve": "CVE-2022-35999",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35999"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `Conv2DBackpropInput` receives empty `out_backprop` inputs (e.g. `[3, 1, 0, 1]`), the current CPU/GPU kernels `CHECK` fail (one with dnnl, the other with cudnn). This can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 27a65a43cf763897fecfa5cdb5cc653fc5dd0346. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35999",
"url": "https://www.suse.com/security/cve/CVE-2022-35999"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-35999",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-35999"
},
{
"cve": "CVE-2022-36000",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36000"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `mlir::tfg::ConvertGenericFunctionToFunctionDef` is given empty function attributes, it gives a null dereference. We have patched the issue in GitHub commit aed36912609fc07229b4d0a7b44f3f48efc00fd0. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36000",
"url": "https://www.suse.com/security/cve/CVE-2022-36000"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36000",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36000"
},
{
"cve": "CVE-2022-36001",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36001"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `DrawBoundingBoxes` receives an input `boxes` that is not of dtype `float`, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit da0d65cdc1270038e72157ba35bf74b85d9bda11. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36001",
"url": "https://www.suse.com/security/cve/CVE-2022-36001"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36001",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36001"
},
{
"cve": "CVE-2022-36002",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36002"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `Unbatch` receives a nonscalar input `id`, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit 4419d10d576adefa36b0e0a9425d2569f7c0189f. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36002",
"url": "https://www.suse.com/security/cve/CVE-2022-36002"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36002",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36002"
},
{
"cve": "CVE-2022-36003",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36003"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `RandomPoissonV2` receives large input shape and rates, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit 552bfced6ce4809db5f3ca305f60ff80dd40c5a3. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36003",
"url": "https://www.suse.com/security/cve/CVE-2022-36003"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36003",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36003"
},
{
"cve": "CVE-2022-36004",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36004"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `tf.random.gamma` receives large input shape and rates, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit 552bfced6ce4809db5f3ca305f60ff80dd40c5a3. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36004",
"url": "https://www.suse.com/security/cve/CVE-2022-36004"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36004",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36004"
},
{
"cve": "CVE-2022-36005",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36005"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `tf.quantization.fake_quant_with_min_max_vars_gradient` receives input `min` or `max` that is nonscalar, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit f3cf67ac5705f4f04721d15e485e192bb319feed. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36005",
"url": "https://www.suse.com/security/cve/CVE-2022-36005"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36005",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36005"
},
{
"cve": "CVE-2022-36011",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36011"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `mlir::tfg::ConvertGenericFunctionToFunctionDef` is given empty function attributes, it gives a null dereference. We have patched the issue in GitHub commit 1cf45b831eeb0cab8655c9c7c5d06ec6f45fc41b. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36011",
"url": "https://www.suse.com/security/cve/CVE-2022-36011"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36011",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36011"
},
{
"cve": "CVE-2022-36012",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36012"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `mlir::tfg::ConvertGenericFunctionToFunctionDef` is given empty function attributes, it crashes. We have patched the issue in GitHub commit ad069af92392efee1418c48ff561fd3070a03d7b. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36012",
"url": "https://www.suse.com/security/cve/CVE-2022-36012"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36012",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36012"
},
{
"cve": "CVE-2022-36013",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36013"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `mlir::tfg::GraphDefImporter::ConvertNodeDef` tries to convert NodeDefs without an op name, it crashes. We have patched the issue in GitHub commit a0f0b9a21c9270930457095092f558fbad4c03e5. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36013",
"url": "https://www.suse.com/security/cve/CVE-2022-36013"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36013",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36013"
},
{
"cve": "CVE-2022-36014",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36014"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `mlir::tfg::TFOp::nameAttr` receives null type list attributes, it crashes. We have patched the issue in GitHub commits 3a754740d5414e362512ee981eefba41561a63a6 and a0f0b9a21c9270930457095092f558fbad4c03e5. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36014",
"url": "https://www.suse.com/security/cve/CVE-2022-36014"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36014",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36014"
},
{
"cve": "CVE-2022-36015",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36015"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `RangeSize` receives values that do not fit into an `int64_t`, it crashes. We have patched the issue in GitHub commit 37e64539cd29fcfb814c4451152a60f5d107b0f0. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36015",
"url": "https://www.suse.com/security/cve/CVE-2022-36015"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36015",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36015"
},
{
"cve": "CVE-2022-36016",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36016"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When `tensorflow::full_type::SubstituteFromAttrs` receives a `FullTypeDef\u0026 t` that is not exactly three args, it triggers a `CHECK`-fail instead of returning a status. We have patched the issue in GitHub commit 6104f0d4091c260ce9352f9155f7e9b725eab012. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36016",
"url": "https://www.suse.com/security/cve/CVE-2022-36016"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36016",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36016"
},
{
"cve": "CVE-2022-36017",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36017"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `Requantize` is given `input_min`, `input_max`, `requested_output_min`, `requested_output_max` tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 785d67a78a1d533759fcd2f5e8d6ef778de849e0. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36017",
"url": "https://www.suse.com/security/cve/CVE-2022-36017"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36017",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36017"
},
{
"cve": "CVE-2022-36018",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36018"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `RaggedTensorToVariant` is given a `rt_nested_splits` list that contains tensors of ranks other than one, it results in a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 88f93dfe691563baa4ae1e80ccde2d5c7a143821. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36018",
"url": "https://www.suse.com/security/cve/CVE-2022-36018"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36018",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36018"
},
{
"cve": "CVE-2022-36019",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36019"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `FakeQuantWithMinMaxVarsPerChannel` is given `min` or `max` tensors of a rank other than one, it results in a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 785d67a78a1d533759fcd2f5e8d6ef778de849e0. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36019",
"url": "https://www.suse.com/security/cve/CVE-2022-36019"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36019",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36019"
},
{
"cve": "CVE-2022-36026",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36026"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. If `QuantizeAndDequantizeV3` is given a nonscalar `num_bits` input tensor, it results in a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit f3f9cb38ecfe5a8a703f2c4a8fead434ef291713. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36026",
"url": "https://www.suse.com/security/cve/CVE-2022-36026"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36026",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36026"
},
{
"cve": "CVE-2022-36027",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36027"
}
],
"notes": [
{
"category": "general",
"text": "TensorFlow is an open source platform for machine learning. When converting transposed convolutions using per-channel weight quantization the converter segfaults and crashes the Python process. We have patched the issue in GitHub commit aa0b852a4588cea4d36b74feb05d93055540b450. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36027",
"url": "https://www.suse.com/security/cve/CVE-2022-36027"
},
{
"category": "external",
"summary": "SUSE Bug 1203507 for CVE-2022-36027",
"url": "https://bugzilla.suse.com/1203507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-2.10.0-1.1.x86_64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.aarch64",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.ppc64le",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.s390x",
"openSUSE Tumbleweed:tensorflow-lite-devel-2.10.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-36027"
}
]
}
GHSA-689C-R7H2-FV9V
Vulnerability from github – Published: 2022-09-16 22:22 – Updated: 2022-09-19 19:35
VLAI?
Summary
TensorFlow vulnerable to segfault in `QuantizedMatMul`
Details
Impact
If QuantizedMatMul is given nonscalar input for:
- min_a
- max_a
- min_b
- max_b
It gives a segfault that can be used to trigger a denial of service attack.
import tensorflow as tf
Toutput = tf.qint32
transpose_a = False
transpose_b = False
Tactivation = tf.quint8
a = tf.constant(7, shape=[3,4], dtype=tf.quint8)
b = tf.constant(1, shape=[2,3], dtype=tf.quint8)
min_a = tf.constant([], shape=[0], dtype=tf.float32)
max_a = tf.constant(0, shape=[1], dtype=tf.float32)
min_b = tf.constant(0, shape=[1], dtype=tf.float32)
max_b = tf.constant(0, shape=[1], dtype=tf.float32)
tf.raw_ops.QuantizedMatMul(a=a, b=b, min_a=min_a, max_a=max_a, min_b=min_b, max_b=max_b, Toutput=Toutput, transpose_a=transpose_a, transpose_b=transpose_b, Tactivation=Tactivation)
Patches
We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48.
The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.
Severity ?
5.9 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-35973"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-16T22:22:27Z",
"nvd_published_at": "2022-09-16T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nIf `QuantizedMatMul` is given nonscalar input for:\n - `min_a`\n - `max_a`\n - `min_b`\n - `max_b`\nIt gives a segfault that can be used to trigger a denial of service attack.\n```python\nimport tensorflow as tf\n\nToutput = tf.qint32\ntranspose_a = False\ntranspose_b = False\nTactivation = tf.quint8\na = tf.constant(7, shape=[3,4], dtype=tf.quint8)\nb = tf.constant(1, shape=[2,3], dtype=tf.quint8)\nmin_a = tf.constant([], shape=[0], dtype=tf.float32)\nmax_a = tf.constant(0, shape=[1], dtype=tf.float32)\nmin_b = tf.constant(0, shape=[1], dtype=tf.float32)\nmax_b = tf.constant(0, shape=[1], dtype=tf.float32)\ntf.raw_ops.QuantizedMatMul(a=a, b=b, min_a=min_a, max_a=max_a, min_b=min_b, max_b=max_b, Toutput=Toutput, transpose_a=transpose_a, transpose_b=transpose_b, Tactivation=Tactivation)\n```\n\n### Patches\nWe have patched the issue in GitHub commit [aca766ac7693bf29ed0df55ad6bfcc78f35e7f48](https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48).\n\nThe fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.\n\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n\n### Attribution\nThis vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.\n",
"id": "GHSA-689c-r7h2-fv9v",
"modified": "2022-09-19T19:35:12Z",
"published": "2022-09-16T22:22:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-689c-r7h2-fv9v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35973"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.10.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "TensorFlow vulnerable to segfault in `QuantizedMatMul`"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…