CVE-2021-29560
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in tf.raw_ops.RaggedTensorToTensor. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/d94227d43aa125ad8b54115c03cece54f6a1977b/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L219-L222) uses the same index to access two arrays in parallel. Since the user controls the shape of the input arguments, an attacker could trigger a heap OOB access when parent_output_index is shorter than row_split. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| tensorflow | tensorflow | < 2.1.4 | affected |
| tensorflow | tensorflow | >= 2.2.0, < 2.2.3 | affected |
| tensorflow | tensorflow | >= 2.3.0, < 2.3.3 | affected |
| tensorflow | tensorflow | >= 2.4.0, < 2.4.2 | affected |
Weaknesses
- CWE-125: CWE-125: Out-of-bounds Read
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8gv3-57p6-g35r
- https://github.com/tensorflow/tensorflow/commit/a84358aa12f0b1518e606095ab9cfddbf597c121
References
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8gv3-57p6-g35r
- https://github.com/tensorflow/tensorflow/commit/a84358aa12f0b1518e606095ab9cfddbf597c121
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.