Out-of-Bounds Affecting tensorflow package, versions [2.5.0,2.5.1) [2.4.0,2.4.3) [,2.3.4)


0.0
high

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Availability High

    Threat Intelligence

    EPSS 0.04% (11th percentile)
Expand this section
NVD
7.1 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-TENSORFLOW-1540815
  • published 13 Aug 2021
  • disclosed 13 Aug 2021
  • credit Unknown

How to fix?

Upgrade tensorflow to version 2.5.1, 2.4.3, 2.3.4 or higher.

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Out-of-Bounds. An attacker can trigger a crash via a CHECK-fail in debug builds of TensorFlow using tf.raw_ops.ResourceGather or a read from outside the bounds of heap allocated data in the same API in a release build. The implementation does not check that the batch_dims value that the user supplies is less than the rank of the input tensor. Since the implementation uses several for loops over the dimensions of tensor, this results in reading data from outside the bounds of heap allocated buffer backing the tensor.

References