GHSA-cqvq-fvhr-v6hc: 
Python vulnerability analysis and mitigation

A vulnerability was discovered in TensorFlow's SobolSample operation, identified as GHSA-cqvq-fvhr-v6hc and related to CVE-2022-35935. The issue was published on November 18, 2022, and affects multiple versions of TensorFlow packages (tensorflow, tensorflow-cpu, tensorflow-gpu) including versions < 2.8.4, >= 2.9.0 < 2.9.3, and >= 2.10.0 < 2.10.1. This vulnerability represents another instance of a denial of service vulnerability via assumed scalar inputs (GitHub Advisory).

The vulnerability exists in the SobolSample operation where there is missing validation for scalar inputs. The issue can be triggered using TensorFlow's raw operations API with specific parameter combinations. A proof of concept example demonstrates the vulnerability: tf.raw_ops.SobolSample(dim=tf.constant([1,0]), num_results=tf.constant([1]), skip=tf.constant([1])) (GitHub Advisory).

The vulnerability can lead to a denial of service condition when exploited. The severity of this issue has been rated as Low according to the official assessment (GitHub Advisory).

The issue has been patched in multiple versions of TensorFlow. Fixed versions include TensorFlow 2.8.4, 2.9.3, 2.10.1, and 2.11.0. The patches were implemented through two GitHub commits (c65c67f88ad770662e8f191269a907bf2b94b1bf and 02400ea266bd811fc016a848445de1bbff3a23a0). Users are advised to upgrade to the patched versions (GitHub Advisory).