CVE-2022-23568: 
Python vulnerability analysis and mitigation

CVE-2022-23568 affects TensorFlow, an Open Source Machine Learning Framework. The vulnerability was discovered in the implementation of AddManySparseToTensorsMap function, which was found to be vulnerable to an integer overflow condition. The issue was disclosed on February 2, 2022, affecting TensorFlow versions prior to 2.8.0. The vulnerability impacts multiple versions of TensorFlow including versions up to 2.5.2, versions from 2.6.0 to 2.6.2, and version 2.7.0 (NVD, GitHub Advisory).

The vulnerability stems from missing validation on the shapes of input tensors and direct construction of large TensorShape objects with user-provided dimensions. When building new TensorShape objects, the integer overflow results in a CHECK-fail, leading to an assert failure-based denial of service. The issue can be triggered by providing specific input parameters to the AddManySparseToTensorsMap function. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The primary impact of this vulnerability is a denial of service condition through assert failure. When exploited, the integer overflow can cause the application to fail when attempting to build new TensorShape objects, potentially disrupting the normal operation of TensorFlow applications (GitHub Advisory).

The vulnerability has been patched in multiple versions of TensorFlow. The fix is included in TensorFlow 2.8.0, and has been backported to TensorFlow 2.7.1, 2.6.3, and 2.5.3. The fix involves replacing the direct call to TensorShape constructor with a call to BuildTensorShape static helper factory, as implemented in commits a68f68061e263a88321c104a6c911fe5598050a8 and b51b82fe65ebace4475e3c54eb089c18a4403f1c (GitHub Advisory).