Lucene search

[email protected]NVD:CVE-2021-41227

HistoryNov 05, 2021 - 11:15 p.m.

CVE-2021-41227

2021-11-0523:15:08

CWE-125

[email protected]

web.nvd.nist.gov

tensorflow

immutableconst

operation

arbitrary memory read

vulnerability

versions 2.4.4

2.5.2

2.6.1

2.7.0

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

29.1%

JSON

TensorFlow is an open source platform for machine learning. In affected versions the ImmutableConst operation in TensorFlow can be tricked into reading arbitrary memory contents. This is because the tstring TensorFlow string class has a special case for memory mapped strings but the operation itself does not offer any support for this datatype. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Affected configurations

Nvd

Node

googletensorflowRange2.4.0–2.4.4

googletensorflowRange2.5.0–2.5.2

googletensorflowRange2.6.0–2.6.1

googletensorflowMatch2.7.0rc0

googletensorflowMatch2.7.0rc1

VendorProductVersionCPE
googletensorflow*cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
googletensorflow2.7.0cpe:2.3:a:google:tensorflow:2.7.0:rc0:*:*:*:*:*:*
googletensorflow2.7.0cpe:2.3:a:google:tensorflow:2.7.0:rc1:*:*:*:*:*:*

Vendor	Product	Version	CPE
google	tensorflow	*	cpe:2.3:a:google:tensorflow::::::::
google	tensorflow	2.7.0	cpe:2.3:a:google:tensorflow:2.7.0:rc0::::::
google	tensorflow	2.7.0	cpe:2.3:a:google:tensorflow:2.7.0:rc1::::::