Vulnerability Description
TensorFlow is an end-to-end open source platform for machine learning. The API of `tf.raw_ops.SparseCross` allows combinations which would result in a `CHECK`-failure and denial of service. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/3d782b7d47b1bf2ed32bd4a246d6d6cadc4c903d/tensorflow/core/kernels/sparse_cross_op.cc#L114-L116) is tricked to consider a tensor of type `tstring` which in fact contains integral elements. Fixing the type confusion by preventing mixing `DT_STRING` and `DT_INT64` types solves this issue. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tensorflow | < 2.1.4 |
Related Weaknesses (CWE)
References
- https://github.com/tensorflow/tensorflow/commit/b1cc5e5a50e7cee09f2c6eb48eb40ee9PatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-772j-h9xw-ffp5ExploitPatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/commit/b1cc5e5a50e7cee09f2c6eb48eb40ee9PatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-772j-h9xw-ffp5ExploitPatchThird Party Advisory
FAQ
What is CVE-2021-29519?
CVE-2021-29519 is a vulnerability with a CVSS score of 2.5 (LOW). TensorFlow is an end-to-end open source platform for machine learning. The API of `tf.raw_ops.SparseCross` allows combinations which would result in a `CHECK`-failure and denial of service. This is be...
How severe is CVE-2021-29519?
CVE-2021-29519 has been rated LOW with a CVSS base score of 2.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-29519?
Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow.