CVE-2022-35997: 
Python vulnerability analysis and mitigation

TensorFlow, an open source platform for machine learning, was found to contain a vulnerability (CVE-2022-35997) where if tf.sparse.cross receives an input separator that is not a scalar, it triggers a CHECK fail that can lead to a denial of service attack. The vulnerability was discovered by Kang Hong Jin and was patched in TensorFlow versions 2.7.4, 2.8.3, 2.9.2, and 2.10.0 (GitHub Advisory).

The vulnerability exists in the tf.sparse.cross function implementation where the input parameter separator was not properly validated to ensure it was a scalar value. The issue was assigned a CVSS v3.1 base score of 7.5 (HIGH) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while GitHub assessed it as 5.9 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-617 (Reachable Assertion) (NVD).

When exploited, this vulnerability can be used to trigger a denial of service attack by causing the application to crash through a CHECK failure when providing a non-scalar separator input to the tf.sparse.cross function (GitHub Advisory).

The vulnerability was patched in GitHub commit 83dcb4dbfa094e33db084e97c4d0531a559e0ebf and included in TensorFlow versions 2.7.4, 2.8.3, 2.9.2, and 2.10.0. Users should upgrade to these patched versions. No known workarounds were available for this issue prior to the patch (GitHub Advisory).