icon

We found results for “

CVE-2022-23563

Good to know:

icon

Date: February 4, 2022

Tensorflow is an Open Source Machine Learning Framework. In multiple places, TensorFlow uses "tempfile.mktemp" to create temporary files. While this is acceptable in testing, in utilities and libraries it is dangerous as a different process can create the file between the check for the filename in "mktemp" and the actual creation of the file by a subsequent operation (a TOC/TOU type of weakness). In several instances, TensorFlow was supposed to actually create a temporary directory instead of a file. This logic bug is hidden away by the "mktemp" function usage. We have patched the issue in several commits, replacing "mktemp" with the safer "mkstemp"/"mkdtemp" functions, according to the usage pattern. Users are advised to upgrade as soon as possible.

Language: C++

Severity Score

Severity Score

Weakness Type (CWE)

Exposure of Resource to Wrong Sphere

CWE-668

Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-367

Top Fix

icon

Upgrade Version

Upgrade to version tensorflow - 2.7.1;tensorflow - 2.6.3;tensorflow - 2.5.3;tensorflow-gpu - 2.6.3;tensorflow-gpu - 2.7.1;tensorflow-gpu - 2.5.3;tensorflow-cpu - 2.6.3;tensorflow-cpu - 2.7.1;tensorflow-cpu - 2.5.3

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): LOCAL
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us