CVE-2023-25661: TensorFlow is an Open Source Machine Learning Framework. In ..
•
Mar 27, 2023
•
Apr 3, 2023
Description
TensorFlow is an Open Source Machine Learning Framework. In versions prior to 2.11.1 a malicious invalid input crashes a tensorflow model (Check Failed) and can be used to trigger a denial of service attack. A proof of concept can be constructed with the `Convolution3DTranspose` function. This Convolution3DTranspose layer is a very common API in modern neural networks. The ML models containing such vulnerable components could be deployed in ML applications or as cloud services. This failure could be potentially used to trigger a denial of service attack on ML cloud services. An attacker must have privilege to provide input to a `Convolution3DTranspose` call. This issue has been patched and users are advised to upgrade to version 2.11.1. There are no known workarounds for this vulnerability.
Products affected:
google» tensorflow » *
In a few clicks Akto can analyze your API attack surface and see what APIs are vulnerable to OWASP Top 10 and other common CWEs.
Severity
6.5
/
10
CVSS base metrics
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
User interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Exploitability Score
2.8
Impact Score
3.6
Weakness
NVD-CWE-noinfo__CWE-20__
Learn from academy
What is Metasploit and Nmap?
Drupal Penetration Testing
NIST Penetration Testing
Nessus Penetration Testing
Qualys Penetration Testing
Grey Box Penetration Testing Methodology
Black Box Penetration Testing Methodology
Cloud Penetration Testing Methodology
Active Directory Pentesting Methodology
GraphQL Penetration Testing Methodology
What is API Pentesting?
What is Automated Penetration Testing?
What is API Security?
What is API Security Posture?
What is API Security Testing?
API Security Checklist
What is a Shadow API?
What is a Zombie API?
What are Business Logic Vulnerabilities?
What is API Protection?
What is API Linting?
What is API Sprawl?
Security Misconfiguration in API
What is Internal API?
What is External API?
Internal vs External API
Sensitive Data Exposure
Data at Rest
Data in Transit
Data Breaches
API Security and Compliance
SOC 2: A Guide to SOC 2 Compliance
FedRAMP Guidelines
What is HIPAA Compliance
Authentication
Authorization
Authentication vs Authorization
HTTP Authentication
Access-Control-Allow-Origin (ACAO)
What is API?
Related tests
JWT authentication bypass via jku header injection
eSMTP - Config Discovery
Nginx - Git Configuration Exposure
Laravel - Sensitive Information Disclosure
Docker Container - Misconfiguration Exposure
Msmtp - Config Exposure
Parameters.yml - File Discovery
Mongo Express - Unauthenticated Access
Apache Airflow Configuration Exposure
Dockerrun AWS Configuration Exposure
Apache Config file disclosure
Appspec Yml Disclosure
Explore more from Akto
Blog
Be updated about everything related to API Security, new API vulnerabilities, industry news and product updates.
Test Library
Discover and find tests from Akto's 100+ API Security test library. Choose your template or add a new template to start your API Security testing.
Documentation
Check out Akto's product documentation for all information related to features and how to use them.