CVE-2023-27579: 
Python vulnerability analysis and mitigation

TensorFlow, an end-to-end open source platform for machine learning, was found to contain a vulnerability identified as CVE-2023-27579. The vulnerability was discovered when constructing a TFLite model with a parameter filter_input_channel of less than 1, which results in a Floating Point Exception (FPE). This security issue was patched in TensorFlow version 2.12.0, with the fix also being backported to version 2.11.1 (GitHub Advisory).

The vulnerability stems from improper validation of the filter_input_channel parameter in the TensorFlow Lite convolution kernel. The issue occurs when this parameter is set to a value less than 1, triggering a Floating Point Exception. The fix involved adding an explicit check to ensure that filter_input_channel is greater than 0 before proceeding with calculations. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability affects the availability of systems using TensorFlow versions prior to 2.12.0. When exploited, it can cause the application to crash due to the Floating Point Exception, potentially leading to denial of service conditions (GitHub Advisory).

The vulnerability has been patched in TensorFlow version 2.12.0 and backported to version 2.11.1. Users are advised to upgrade to these or later versions. The fix was implemented through GitHub commit 34f8368c535253f5c9cb3a303297743b62442aaa, which adds validation to ensure the filter_input_channel parameter is greater than 0 (GitHub Commit).