Out-of-bounds Read Affecting tensorflow-cpu package, versions [2.3.0,2.3.4) [2.4.0,2.4.3) [2.5.0,2.5.1)
Snyk CVSS
Attack Complexity
High
Confidentiality
High
Threat Intelligence
EPSS
0.05% (16th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-TENSORFLOWCPU-2314954
- published 10 Dec 2021
- disclosed 12 Aug 2021
- credit Yakun Zhang of Baidu Security
Introduced: 12 Aug 2021
CVE-2021-37687 Open this link in a new tabHow to fix?
Upgrade tensorflow-cpu
to version 2.3.4, 2.4.3, 2.5.1 or higher.
Overview
tensorflow-cpu is a machine learning framework.
Affected versions of this package are vulnerable to Out-of-bounds Read. The GatherNd
implementation does not support negative indices but there are no checks for this situation. Hence, an attacker can read arbitrary data from the heap by carefully crafting a model with negative values in indices
. Similar issue exists in the Gather
implementation.