Vulnerability Description
TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseReshape` results in a denial of service based on a `CHECK`-failure. The implementation(https://github.com/tensorflow/tensorflow/blob/e87b51ce05c3eb172065a6ea5f48415854223285/tensorflow/core/kernels/sparse_reshape_op.cc#L40) has no validation that the input arguments specify a valid sparse tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are the only affected versions.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tensorflow | < 2.1.4 |
Related Weaknesses (CWE)
References
- https://github.com/tensorflow/tensorflow/commit/1d04d7d93f4ed3854abf75d6b712d72cPatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9rpc-5v9q-5r7fExploitPatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/commit/1d04d7d93f4ed3854abf75d6b712d72cPatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9rpc-5v9q-5r7fExploitPatchThird Party Advisory
FAQ
What is CVE-2021-29611?
CVE-2021-29611 is a vulnerability with a CVSS score of 3.6 (LOW). TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseReshape` results in a denial of service based on a `CHECK`-failure. The implementation(https://gi...
How severe is CVE-2021-29611?
CVE-2021-29611 has been rated LOW with a CVSS base score of 3.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-29611?
Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow.