Out-of-Bounds Affecting tensorflow-cpu package, versions [2.4.0,2.4.2) [2.3.0,2.3.3) [2.2.0,2.2.3) [,2.1.4)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-TENSORFLOWCPU-1315683
- published 1 Jul 2021
- disclosed 1 Jul 2021
- credit Unknown
Introduced: 1 Jul 2021
CVE-2021-29607 Open this link in a new tabHow to fix?
Upgrade tensorflow-cpu
to version 2.4.2, 2.3.3, 2.2.3, 2.1.4 or higher.
Overview
tensorflow-cpu is a machine learning framework.
Affected versions of this package are vulnerable to Out-of-Bounds. Incomplete validation in SparseAdd
results in allowing attackers to exploit undefined behavior (dereferencing null pointers) as well as write outside of bounds of heap allocated data. The implementation has a large set of validation for the two sparse tensor inputs (6 tensors in total), but does not validate that the tensors are not empty or that the second dimension of *_indices
matches the size of corresponding *_shape
. This allows attackers to send tensor triples that represent invalid sparse tensors to abuse code assumptions that are not protected by validation.