GHSA-wcv5-vrvr-3rx2: 
Python vulnerability analysis and mitigation

A moderate severity vulnerability (GHSA-wcv5-vrvr-3rx2) was identified in TensorFlow's Grappler component, affecting versions prior to 2.8.0. The vulnerability, discovered in February 2022, impacts multiple TensorFlow packages including tensorflow, tensorflow-cpu, and tensorflow-gpu. This security issue is related to a denial of service vulnerability via CHECK-failure in constant folding operations (GitHub Advisory).

The vulnerability stems from the Grappler component's constant folding functionality where a CHECK-failure can occur in the PartialTensorShape constructor. The issue arises when processing output_prop tensors with shapes controlled by user input. The vulnerability has been assigned a CVSS v3.1 score of 5.5 (Moderate) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-190 (Integer Overflow or Wraparound) (GitHub Advisory).

The vulnerability can lead to denial of service through assertion failures in the system. When exploited, it affects the availability of the service while maintaining the confidentiality and integrity of the data. This is particularly concerning for systems that rely on TensorFlow's Grappler component for constant folding operations (GitHub Advisory).

The vulnerability has been patched in multiple versions: TensorFlow 2.5.3, 2.6.3, and 2.7.1. The fix was implemented through GitHub commit be7b286d40bc68cb0b56f702186cc4837d508058 and was included in TensorFlow 2.8.0. Users are advised to upgrade to these patched versions to mitigate the vulnerability (GitHub Advisory, TensorFlow Commit).