Miggo Logo

CVE-2022-35994: TensorFlow vulnerable to `CHECK` fail in `CollectiveGather`

5.9

CVSS Score
3.1

Basic Information

EPSS Score
0.29053%
Published
9/16/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
tensorflowpip< 2.7.22.7.2
tensorflowpip>= 2.8.0, < 2.8.12.8.1
tensorflowpip>= 2.9.0, < 2.9.12.9.1
tensorflow-cpupip< 2.7.22.7.2
tensorflow-cpupip>= 2.8.0, < 2.8.12.8.1
tensorflow-cpupip>= 2.9.0, < 2.9.12.9.1
tensorflow-gpupip< 2.7.22.7.2
tensorflow-gpupip>= 2.8.0, < 2.8.12.8.1
tensorflow-gpupip>= 2.9.0, < 2.9.12.9.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the unvalidated input rank in CollectiveGather's implementation. The GitHub patch adds a rank check in ComputeAsyncImpl, and the CVE description explicitly identifies CollectiveGather as the vulnerable operation. The test case in collective_ops_test.py directly exercises this code path with scalar input, confirming the vulnerable function's identity.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n `*oll**tiv***t**r` r***iv*s *n s**l*r input `input`, it *iv*s * `****K` **ils t**t **n ** us** to tri***r * **ni*l o* s*rvi** *tt**k. ```pyt*on import t*nsor*low *s t* *r*_*=* *r*_*=* *r*_*=* *r*_*=* *r*_*=(*, *,*) *r*_*='*uto' *r*_*=

Reasoning

T** vuln*r**ility st*ms *rom t** unv*li**t** input r*nk in *oll**tiv***t**r's impl*m*nt*tion. T** *it*u* p*t** ***s * r*nk ****k in *omput**syn*Impl, *n* t** *V* **s*ription *xpli*itly i**nti*i*s *oll**tiv***t**r *s t** vuln*r**l* op*r*tion. T** t*st