CVE-2022-23582: 
Python vulnerability analysis and mitigation

CVE-2022-23582 affects TensorFlow, an Open Source Machine Learning Framework. The vulnerability was discovered and disclosed in February 2022, affecting versions prior to 2.8.0. A malicious user can cause a denial of service by altering a SavedModel such that TensorByteSize would trigger CHECK failures (TF Advisory).

The vulnerability exists in the TensorByteSize function where the TensorShape constructor throws a CHECK-fail if the shape is partial or has a number of elements that would overflow the size of an integer. The issue occurs because the TensorShape constructor performs strict validation that causes a CHECK-abort in these cases, while the PartialTensorShape constructor is designed to handle partial shapes by returning -1 without aborting (TF Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 MEDIUM (NVD).

The vulnerability allows attackers to cause a denial of service condition by crafting a malicious SavedModel that triggers CHECK failures in the TensorByteSize function. This can lead to application crashes and service disruption (TF Advisory).

The vulnerability has been patched in TensorFlow 2.8.0 and backported to versions 2.7.1, 2.6.3, and 2.5.3. The fix involves replacing the use of TensorShape with PartialTensorShape in the TensorByteSize function. Users are advised to upgrade to these patched versions (TF Advisory).