Miggo Logo
Miggo Vulnerability Database
CVE-2023-27579

CVE-2023-27579:
TensorFlow has Floating Point Exception in TFLite in conv kernel

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-27579
GHSA ID
GHSA-5w96-866f-6rm8
EPSS Score
0.34082%
CWE
CWE-697
Published
3/24/2023
Updated
3/30/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
tensorflowpip< 2.11.12.11.1
tensorflow-cpupip< 2.11.12.11.1
tensorflow-gpupip< 2.11.12.11.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the missing validation of 'filter_input_channel' in the convolution kernel's Prepare function. The commit diff explicitly adds a 'TF_LITE_ENSURE(context, filter_input_channel > 0)' check to this function, confirming this was the vulnerable location. The FPE occurs during the groups calculation when filter_input_channel ≤ 0, which is directly addressed by this patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *onstru*tin* * t*lit* mo**l wit* * p*r*m*t*r `*ilt*r_input_***nn*l` o* l*ss t**n * *iv*s * *P*. ### P*t***s W* **v* p*t**** t** issu* in *it*u* *ommit [****************************************](*ttps://*it*u*.*om/t*nsor*low/t*nsor*low/*o

Reasoning

T** vuln*r**ility st*ms *rom t** missin* v*li**tion o* '*ilt*r_input_***nn*l' in t** *onvolution k*rn*l's Pr*p*r* *un*tion. T** *ommit *i** *xpli*itly ***s * 'T*_LIT*_*NSUR*(*ont*xt, *ilt*r_input_***nn*l > *)' ****k to t*is *un*tion, *on*irmin* t*is