CVE-2023-25668

CRITICAL9.8EPSS 1.5%

TensorFlow vulnerable to heap out-of-buffer read in the QuantizeAndDequantize operation

發布日:2023/3/24修改日:2025/5/20

描述

TensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.

受影響套件(4)

Bitnami/tensorflowfrom 0, < 2.12.0
PyPI/tensorflowfrom 0, < 2.11.1
PyPI/tensorflow-cpufrom 0, < 2.11.1
PyPI/tensorflow-gpufrom 0, < 2.11.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-25668
PATCHhttps://github.com/tensorflow/tensorflow
WEBhttps://github.com/tensorflow/tensorflow/commit/7b174a0f2e40ff3f3aa957aecddfd5aaae35eccb
WEBhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-gw97-ff7c-9v96