VDB
CVE-2022-21741
CVE-2022-21741
PUBLISHED
Tensorflow is an Open Source Machine Learning Framework. ### Impact An attacker can craft a TFLite model that would trigger a division by zero in the implementation of depthwise convolutions. The parameters of the convolution can be user controlled and are also used within a division operation to determine the size of the padding that needs to be added before applying the convolution. There is no check before this division that the divisor is strictly positive. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
EPSS 0.23% · 46.2th percentile
Risk Scores
EPSS Score
0.23%
46.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | tensorflow | 0, 2.6.0, 2.7.0 |
| Bitnami | tensorflow | 0, 2.6.0, 2.7.0 |
Exploit Intelligence
- https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/lite/kernels/depthwise_conv.cc#L96 (nist-nvd)
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-428x-9xc2-m8mj (circl)
- https://github.com/tensorflow/tensorflow/commit/e5b0eec199c2d03de54fd6a7fd9275692218e2bc (circl)
Timeline
- Feb 3, 2022 CVE Published
- Feb 8, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 24, 2022 EPSS Score
- Jul 16, 2022 EPSS Score
- Sep 7, 2022 EPSS Score
- Oct 29, 2022 EPSS Score
- Dec 21, 2022 EPSS Score
- Feb 11, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 5, 2023 EPSS Score
- May 27, 2023 EPSS Score
References
- https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/lite/kernels/depthwise_conv.cc#L96 url
- https://github.com/tensorflow/tensorflow/commit/e5b0eec199c2d03de54fd6a7fd9275692218e2bc url
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-428x-9xc2-m8mj url
- https://nvd.nist.gov/vuln/detail/CVE-2022-21741 url