Homepage
About Snyk

tensorflow@2.11.1 vulnerabilities

TensorFlow is an open source machine learning framework for everyone.

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the tensorflow package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Arbitrary File Write via Archive Extraction (Zip Slip)

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via a crafted archive when tf.keras.utils.get_file is used with extract=True.

NOTE: This CVE is disputed as the vendor's position is that tf.keras.utils.get_file is not intended for untrusted archives. However, we feel this advisory is relevant as at the time of publication, there is no known security notice or documentation warning users of this behavior.

UPDATE: With the addition of a clear warning to the API documentation on Feb 23, 2023, this issue is considered fixed.

How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

Upgrade tensorflow to version 2.12.0rc1 or higher.

[,2.12.0rc1)
Go back to all versions of this package