aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

AI & LLM Vulnerabilities

Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.

to
Export CSV
2170 items

CVE-2022-35952: TensorFlow is an open source platform for machine learning. The `UnbatchGradOp` function takes an argument `id` that is

mediumvulnerability
security
Sep 16, 2022
CVE-2022-35952

TensorFlow, a machine learning platform, has a vulnerability in the `UnbatchGradOp` function (a component that processes gradient calculations) where it doesn't properly validate its inputs. If given a non-scalar `id` (a single value instead of what's expected) or an incorrectly sized `batch_index` (a list of indices), the function crashes the program. There are no known workarounds for this issue.

Fix: The issue was patched in GitHub commit 5f945fc6409a3c1e90d6970c9292f805f6e6ddf2. The fix will be included in TensorFlow 2.10.0 and will also be backported to TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2.

NVD/CVE Database

CVE-2022-35941: TensorFlow is an open source platform for machine learning. The `AvgPoolOp` function takes an argument `ksize` that must

mediumvulnerability
security
Sep 16, 2022
CVE-2022-35941

TensorFlow's `AvgPoolOp` function has a bug where it doesn't check if the `ksize` argument (a parameter that controls pooling window size) is positive, allowing negative values to crash the program. The issue has been patched and will be included in upcoming TensorFlow releases.

CVE-2022-35940: TensorFlow is an open source platform for machine learning. The `RaggedRangOp` function takes an argument `limits` that

mediumvulnerability
security
Sep 16, 2022
CVE-2022-35940

TensorFlow's `RaggedRangOp` function has a bug where passing a very large float value to the `limits` argument causes it to overflow when converted to an `int64` (a 64-bit integer type), crashing the entire program with an abort signal. This vulnerability affects multiple versions of TensorFlow and has no known workaround.

CVE-2022-35939: TensorFlow is an open source platform for machine learning. The `ScatterNd` function takes an input argument that determ

highvulnerability
security
Sep 16, 2022
CVE-2022-35939

TensorFlow's `ScatterNd` function (a tool that places values into specific positions of an output array) has a bug where invalid input indices can write data to the wrong location or crash the program. The vulnerability affects multiple versions of TensorFlow.

CVE-2022-35938: TensorFlow is an open source platform for machine learning. The `GatherNd` function takes arguments that determine the s

highvulnerability
security
Sep 16, 2022
CVE-2022-35938

A bug in TensorFlow (an open source platform for machine learning) exists in the `GatherNd` function, which retrieves values from arrays using index arrays. When input sizes are greater than or equal to output sizes, the function tries to read memory outside its allowed bounds (out-of-bounds memory read), causing errors or system crashes. The vulnerability affects multiple recent versions of TensorFlow.

CVE-2022-35937: TensorFlow is an open source platform for machine learning. The `GatherNd` function takes arguments that determine the s

highvulnerability
security
Sep 16, 2022
CVE-2022-35937

TensorFlow's `GatherNd` function (a tool that retrieves values from arrays based on index locations) has a vulnerability where it can read memory it shouldn't access if certain input sizes are too large. This happens because the function doesn't properly check if inputs exceed the expected output sizes, potentially exposing sensitive data or crashing the system.

CVE-2022-35935: TensorFlow is an open source platform for machine learning. The implementation of SobolSampleOp is vulnerable to a denia

mediumvulnerability
security
Sep 16, 2022
CVE-2022-35935

TensorFlow (an open source platform for machine learning) has a bug in SobolSampleOp that crashes the program when it receives unexpected input types, because the code assumes certain inputs will be scalars (single values rather than arrays). This denial of service vulnerability has been fixed and will be released in upcoming versions.

CVE-2022-35934: TensorFlow is an open source platform for machine learning. The implementation of tf.reshape op in TensorFlow is vulnera

mediumvulnerability
security
Sep 16, 2022
CVE-2022-35934

TensorFlow's tf.reshape operation (a function that changes a tensor's shape without altering its data) has a vulnerability that allows attackers to crash the program by causing an integer overflow (when a number exceeds the maximum value a system can store), triggering a denial of service attack (making the service unavailable). The issue affects multiple versions of TensorFlow and has been patched.

CVE-2022-35918: Streamlit is a data oriented application development framework for python. Users hosting Streamlit app(s) that use custo

mediumvulnerability
security
Aug 1, 2022
CVE-2022-35918

Streamlit, a Python framework for building data applications, has a directory traversal vulnerability (a type of attack where an attacker uses specially crafted file paths to access files they shouldn't be able to reach) in versions before 1.11.1. An attacker could trick the Streamlit server into reading and returning sensitive files from the server's file system, such as logs or other confidential information.

CVE-2020-25459: An issue was discovered in function sync_tree in hetero_decision_tree_guest.py in WeBank FATE (Federated AI Technology E

highvulnerability
security
Jun 16, 2022
CVE-2020-25459

CVE-2020-25459 is a vulnerability in WeBank FATE (Federated AI Technology Enabler, a system for training machine learning models across multiple parties) versions 0.1 through 1.4.2 that allows attackers to read sensitive information during the training process. The issue exists in a function called sync_tree in the hetero_decision_tree_guest.py file, which means attackers could access private data while the model is being trained.

CVE-2022-29216: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, TensorFlow

highvulnerability
security
May 21, 2022
CVE-2022-29216

TensorFlow's `saved_model_cli` tool (a utility for working with saved machine learning models) had a code injection vulnerability in versions before 2.9.0, 2.8.1, 2.7.2, and 2.6.4, which could allow an attacker to open a reverse shell (a backdoor connection giving remote control of a system). The vulnerability existed because the tool used `eval` (a function that executes text as code) on user input for compatibility with older test cases, but since the tool requires manual operation, the practical risk was limited.

CVE-2022-29213: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the `tf.co

mediumvulnerability
security
May 21, 2022
CVE-2022-29213

TensorFlow, an open source platform for machine learning, had a bug in two signal processing functions (`tf.compat.v1.signal.rfft2d` and `tf.compat.v1.signal.rfft3d`) where missing input validation (checking that data meets expected requirements before processing) could cause the software to crash under certain conditions. The bug was fixed in versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4.

CVE-2022-29212: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, certain TF

mediumvulnerability
security
May 21, 2022
CVE-2022-29212

TensorFlow, an open source machine learning platform, had a bug in versions before 2.9.0, 2.8.1, 2.7.2, and 2.6.4 where certain converted models would crash when loaded. The problem occurred because the code assumed that quantization (a technique to compress model size by reducing numerical precision) would always use scaling factors smaller than 1, but sometimes the scale was larger, causing the program to stop unexpectedly.

CVE-2022-29211: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem

mediumvulnerability
security
May 21, 2022
CVE-2022-29211

TensorFlow, an open source platform for machine learning, has a vulnerability in the `tf.histogram_fixed_width` function where it crashes if the input data contains NaN (Not a Number, a special floating point value representing undefined results). The crash happens because the code tries to convert NaN to an integer without checking for it first, and this bug only affects the CPU version of TensorFlow.

CVE-2022-29210: TensorFlow is an open source platform for machine learning. In version 2.8.0, the `TensorKey` hash function used total e

mediumvulnerability
security
May 21, 2022
CVE-2022-29210

TensorFlow version 2.8.0 had a bug in the `TensorKey` hash function (a function that converts data into a fixed-size code for quick lookups), where it incorrectly used `AllocatedBytes()` (an estimate of memory used by a tensor, including referenced data like strings) to access the actual tensor data bytes. This caused crashes because `AllocatedBytes()` doesn't represent the real contiguous memory buffer, and certain data types like `tstring` contain pointers rather than actual values.

CVE-2022-29209: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the macros

mediumvulnerability
security
May 21, 2022
CVE-2022-29209

TensorFlow, an open source machine learning platform, had a bug in versions before 2.9.0, 2.8.1, 2.7.2, and 2.6.4 where assertion macros (special code blocks that check if conditions are true) incorrectly compared different data types, specifically `size_t` and `int` values (two different ways to store whole numbers). This type confusion could cause assertions to trigger incorrectly due to how the computer converts between these different number types.

CVE-2022-29208: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem

highvulnerability
security
May 20, 2022
CVE-2022-29208

TensorFlow, an open source platform for machine learning, has a vulnerability in the `tf.raw_ops.EditDistance` function where incomplete validation allows users to pass negative values that cause a segmentation fault (a program crash from accessing invalid memory). An attacker could exploit this by crafting input that produces negative array indices, allowing writes before the intended array location and potentially crashing the system.

CVE-2022-29206: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem

mediumvulnerability
security
May 20, 2022
CVE-2022-29206

CVE-2022-29206 is a bug in TensorFlow (an open source machine learning platform) where a specific function called `tf.raw_ops.SparseTensorDenseAdd` doesn't properly check its input arguments, causing a nullptr (a reference pointing to nothing) to be accessed during execution, which leads to undefined behavior. This vulnerability affects TensorFlow versions before 2.9.0, 2.8.1, 2.7.2, and 2.6.4.

CVE-2022-29205: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, there is a

mediumvulnerability
security
May 20, 2022
CVE-2022-29205

TensorFlow (an open-source machine learning platform) has a bug in older versions where calling certain compatibility functions with unsupported data types causes the program to crash. When the code tries to process a missing function, it attempts to use a null pointer (a reference to nothing in memory), which causes a segmentation fault (a type of crash where the program accesses memory it shouldn't).

CVE-2022-29204: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem

mediumvulnerability
security
May 20, 2022
CVE-2022-29204

TensorFlow, an open source platform for machine learning, has a vulnerability in one of its operations called `tf.raw_ops.UnsortedSegmentJoin` where it doesn't properly check its inputs before using them. If someone provides a negative number where a positive one is expected, it causes the program to crash with an assertion failure, which is a type of denial of service attack (making software unavailable by crashing it).

Previous91 / 109Next

Fix: Update to TensorFlow 2.10.0 or apply the patch from GitHub commit 3a6ac52664c6c095aa2b114e742b0aa17fdce78f. If you are using TensorFlow 2.9.1, 2.8.1, or 2.7.2, updates including the fix will be released for these versions as well.

NVD/CVE Database

Fix: The issue has been patched in GitHub commit 37cefa91bee4eace55715eeef43720b958a01192. The fix will be included in TensorFlow 2.10.0, and will also be applied to TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2.

NVD/CVE Database

Fix: The issue is patched in GitHub commit b4d4b4cb019bd7240a52daa4ba61e3cc814f0384. The fix will be included in TensorFlow 2.10.0 and will be backported (applied to older versions still being supported) to TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2. The source notes there are no known workarounds.

NVD/CVE Database

Fix: The fix has been patched in GitHub commit 4142e47e9e31db481781b955ed3ff807a781b494 and will be included in TensorFlow 2.10.0. The fix will also be backported (applied to older versions still being supported) to TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2. Users should update to these patched versions.

NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.10.0. Patched versions will also be available in TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2. The source notes there are no known workarounds for this issue.

NVD/CVE Database

Fix: The fix is included in TensorFlow 2.10.0. The patch will also be applied to TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, which are still supported. Users should update to one of these patched versions. No workarounds are available until an update is applied.

NVD/CVE Database

Fix: Update to TensorFlow 2.10.0, or apply the cherrypick to versions 2.9.1, 2.8.1, or 2.7.2 (the patched versions for users on older supported releases). The fix is included in GitHub commit 61f0f9b94df8c0411f0ad0ecc2fec2d3f3c33555. There are no known workarounds for this issue.

NVD/CVE Database

Fix: Upgrade to Streamlit version 1.11.1 or later. The source explicitly states, 'This issue has been resolved in version 1.11.1. Users are advised to upgrade.' No workarounds are available.

NVD/CVE Database
NVD/CVE Database

Fix: Update TensorFlow to version 2.9.0, 2.8.1, 2.7.2, or 2.6.4 or later. The maintainers removed the `safe=False` argument, so all parsing is now done without calling `eval`.

NVD/CVE Database

Fix: Update TensorFlow to one of the patched versions: 2.9.0, 2.8.1, 2.7.2, or 2.6.4.

NVD/CVE Database

Fix: Update to TensorFlow versions 2.9.0, 2.8.1, 2.7.2, or 2.6.4, which contain a patch for this issue.

NVD/CVE Database

Fix: Update to TensorFlow versions 2.9.0, 2.8.1, 2.7.2, or 2.6.4, which contain a patch for this issue.

NVD/CVE Database

Fix: This issue is patched in TensorFlow versions 2.9.0 and 2.8.1.

NVD/CVE Database

Fix: Update TensorFlow to version 2.9.0, 2.8.1, 2.7.2, or 2.6.4 or later, as these versions contain a patch for this issue.

NVD/CVE Database

Fix: Update to TensorFlow versions 2.9.0, 2.8.1, 2.7.2, or 2.6.4, which contain a patch for this issue.

NVD/CVE Database

Fix: Update TensorFlow to versions 2.9.0, 2.8.1, 2.7.2, or 2.6.4 or later, which contain a patch for this issue.

NVD/CVE Database

Fix: Update to TensorFlow version 2.9.0, 2.8.1, 2.7.2, or 2.6.4 or later, which contain a patch for this issue.

NVD/CVE Database

Fix: Update TensorFlow to version 2.9.0, 2.8.1, 2.7.2, or 2.6.4 or later, as these versions contain a patch for this issue.

NVD/CVE Database