CVE-2021-29588
2.5
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
TensorFlow is an end-to-end open source platform for machine learning. The optimized implementation of the TransposeConv TFLite operator is vulnerable to a division by zero error. An attacker can craft a model such that stride_{h,w} values are 0. Code calling this function must validate these arguments. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| tensorflow | tensorflow | < 2.1.4 | affected |
| tensorflow | tensorflow | >= 2.2.0, < 2.2.3 | affected |
| tensorflow | tensorflow | >= 2.3.0, < 2.3.3 | affected |
| tensorflow | tensorflow | >= 2.4.0, < 2.4.2 | affected |
Weaknesses
- CWE-369: CWE-369: Divide By Zero
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vfr4-x8j2-3rf9
- https://github.com/tensorflow/tensorflow/commit/801c1c6be5324219689c98e1bd3e0ca365ee834d
References
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vfr4-x8j2-3rf9
- https://github.com/tensorflow/tensorflow/commit/801c1c6be5324219689c98e1bd3e0ca365ee834d
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.