Vulnerability Description
TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via `CHECK`-fail in `tf.strings.substr` with invalid arguments. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tensorflow | < 2.1.4 |
Related Weaknesses (CWE)
References
- https://github.com/tensorflow/issues/46900Broken Link
- https://github.com/tensorflow/issues/46974Broken Link
- https://github.com/tensorflow/tensorflow/commit/890f7164b70354c57d40eda52dcdd765PatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mmq6-q8r3-48fmExploitPatchThird Party Advisory
- https://github.com/tensorflow/issues/46900Broken Link
- https://github.com/tensorflow/issues/46974Broken Link
- https://github.com/tensorflow/tensorflow/commit/890f7164b70354c57d40eda52dcdd765PatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mmq6-q8r3-48fmExploitPatchThird Party Advisory
FAQ
What is CVE-2021-29617?
CVE-2021-29617 is a vulnerability with a CVSS score of 2.5 (LOW). TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via `CHECK`-fail in `tf.strings.substr` with invalid arguments. The fix will be include...
How severe is CVE-2021-29617?
CVE-2021-29617 has been rated LOW with a CVSS base score of 2.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-29617?
Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow.