Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-25661

Good to know:

icon

Date: March 27, 2023

TensorFlow is an Open Source Machine Learning Framework. In versions prior to 2.11.1 a malicious invalid input crashes a tensorflow model (Check Failed) and can be used to trigger a denial of service attack. A proof of concept can be constructed with the `Convolution3DTranspose` function. This Convolution3DTranspose layer is a very common API in modern neural networks. The ML models containing such vulnerable components could be deployed in ML applications or as cloud services. This failure could be potentially used to trigger a denial of service attack on ML cloud services. An attacker must have privilege to provide input to a `Convolution3DTranspose` call. This issue has been patched and users are advised to upgrade to version 2.11.1. There are no known workarounds for this vulnerability.

Language: Python

Severity Score

Related Resources (6)

https://github.com/tensorflow/tensorflow/commit/948fe6369a5711d4b4568ea9bbf6015c6dfb77e2
https://github.com/keras-team/keras/commit/85db5d07db54b853484bfd358c3894d948c36baf
https://nvd.nist.gov/vuln/detail/CVE-2023-25661
https://github.com/tensorflow/tensorflow
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fxgc-95xx-grvq
https://www.mend.io/vulnerability-database/CVE-2023-25661

Severity Score

Weakness Type (CWE)

Input Validation

CWE-20

Insufficient Information

NVD-CWE-noinfo

Top Fix

icon

Upgrade Version

Upgrade to version tensorflow - 2.11.1,2.12.0, tensorflow-cpu - 2.11.1,2.12.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us