Lucene search

[email protected]NVD:CVE-2021-41225

HistoryNov 05, 2021 - 11:15 p.m.

CVE-2021-41225

2021-11-0523:15:08

CWE-908

[email protected]

web.nvd.nist.gov

tensorflow

grappler

optimizer

uninitialized variable

vulnerability

fix

version 2.7.0

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

17.8%

JSON

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow’s Grappler optimizer has a use of unitialized variable. If the train_nodes vector (obtained from the saved model that gets optimized) does not contain a Dequeue node, then dequeue_node is left unitialized. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Affected configurations

Nvd

Node

googletensorflowRange2.4.0–2.4.4

googletensorflowRange2.5.0–2.5.2

googletensorflowRange2.6.0–2.6.1

googletensorflowMatch2.7.0rc0

googletensorflowMatch2.7.0rc1

VendorProductVersionCPE
googletensorflow*cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
googletensorflow2.7.0cpe:2.3:a:google:tensorflow:2.7.0:rc0:*:*:*:*:*:*
googletensorflow2.7.0cpe:2.3:a:google:tensorflow:2.7.0:rc1:*:*:*:*:*:*

Vendor	Product	Version	CPE
google	tensorflow	*	cpe:2.3:a:google:tensorflow::::::::
google	tensorflow	2.7.0	cpe:2.3:a:google:tensorflow:2.7.0:rc0::::::
google	tensorflow	2.7.0	cpe:2.3:a:google:tensorflow:2.7.0:rc1::::::