Lucene search

[email protected]NVD:CVE-2021-41215

HistoryNov 05, 2021 - 9:15 p.m.

CVE-2021-41215

2021-11-0521:15:09

CWE-476

[email protected]

web.nvd.nist.gov

tensorflow

deserializesparse

shape inference

vulnerability

fix

2.7.0

cherrypick

2.6.1

2.5.2

2.4.4

supported range

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

Percentile

12.8%

JSON

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for DeserializeSparse can trigger a null pointer dereference. This is because the shape inference function assumes that the serialize_sparse tensor is a tensor with positive rank (and having 3 as the last dimension). The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Affected configurations

Nvd

Node

googletensorflowRange<2.4.4

googletensorflowRange2.5.0–2.5.2

googletensorflowMatch2.6.0

VendorProductVersionCPE
googletensorflow*cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
googletensorflow2.6.0cpe:2.3:a:google:tensorflow:2.6.0:*:*:*:*:*:*:*