Out-of-Bounds Affecting tensorflow package, versions [2.5.0,2.5.1) [2.4.0,2.4.3) [,2.3.4)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-TENSORFLOW-1540815
- published 13 Aug 2021
- disclosed 13 Aug 2021
- credit Unknown
Introduced: 13 Aug 2021
CVE-2021-37654 Open this link in a new tabHow to fix?
Upgrade tensorflow to version 2.5.1, 2.4.3, 2.3.4 or higher.
Overview
tensorflow is a machine learning framework.
Affected versions of this package are vulnerable to Out-of-Bounds. An attacker can trigger a crash via a CHECK-fail in debug builds of TensorFlow using tf.raw_ops.ResourceGather or a read from outside the bounds of heap allocated data in the same API in a release build. The implementation does not check that the batch_dims value that the user supplies is less than the rank of the input tensor. Since the implementation uses several for loops over the dimensions of tensor, this results in reading data from outside the bounds of heap allocated buffer backing the tensor.