CVE-2021-29581

Published: May 14, 2021Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.CTCBeamSearchDecoder`, an attacker can trigger denial of service via segmentation faults. The implementation(https://github.com/tensorflow/tensorflow/blob/a74768f8e4efbda4def9f16ee7e13cf3922ac5f7/tensorflow/core/kernels/ctc_decoder_ops.cc#L68-L79) fails to detect cases when the input tensor is empty and proceeds to read data from a null buffer. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Affected (4)

Products: Google: Tensorflow

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Google Tensorflow	Before 2.1.4
Google Tensorflow	From 2.2.0 to 2.2.3
Google Tensorflow	From 2.3.0 to 2.3.3
Google Tensorflow	From 2.4.0 to 2.4.2

Related CWEs

Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized.

References (4)

https://github.com/tensorflow/tensorflow/commit/b1b323042264740c398140da32e93fb9c2c9f33e

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vq2r-5xvm-3hc3

Source: security-advisories@github.com

ExploitPatchThird Party Advisory

https://github.com/tensorflow/tensorflow/commit/b1b323042264740c398140da32e93fb9c2c9f33e

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vq2r-5xvm-3hc3

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.