CVE-2021-41203 — HIGH (7.8)

Q: How severe is CVE-2021-41203?

CVE-2021-41203 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-41203?

Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow.

Vulnerability Description

TensorFlow is an open source platform for machine learning. In affected versions an attacker can trigger undefined behavior, integer overflows, segfaults and `CHECK`-fail crashes if they can change saved checkpoints from outside of TensorFlow. This is because the checkpoints loading infrastructure is missing validation for invalid file formats. The fixes will be included in TensorFlow 2.7.0. We will also cherrypick these commits on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Google	Tensorflow	< 2.4.4

Related Weaknesses (CWE)

CWE-190 CWE-345

References

https://github.com/tensorflow/tensorflow/commit/368af875869a204b4ac552b9ddda59f6PatchThird Party Advisory
https://github.com/tensorflow/tensorflow/commit/abcced051cb1bd8fb05046ac3b6023a7PatchThird Party Advisory
https://github.com/tensorflow/tensorflow/commit/b619c6f865715ca3b15ef1842b5b95edPatchThird Party Advisory
https://github.com/tensorflow/tensorflow/commit/e8dc63704c88007ee4713076605c9018PatchThird Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7pxj-m4jf-r6h2Third Party Advisory
https://github.com/tensorflow/tensorflow/commit/368af875869a204b4ac552b9ddda59f6PatchThird Party Advisory
https://github.com/tensorflow/tensorflow/commit/abcced051cb1bd8fb05046ac3b6023a7PatchThird Party Advisory
https://github.com/tensorflow/tensorflow/commit/b619c6f865715ca3b15ef1842b5b95edPatchThird Party Advisory
https://github.com/tensorflow/tensorflow/commit/e8dc63704c88007ee4713076605c9018PatchThird Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7pxj-m4jf-r6h2Third Party Advisory

FAQ

What is CVE-2021-41203?

CVE-2021-41203 is a vulnerability with a CVSS score of 7.8 (HIGH). TensorFlow is an open source platform for machine learning. In affected versions an attacker can trigger undefined behavior, integer overflows, segfaults and `CHECK`-fail crashes if they can change sa...

How severe is CVE-2021-41203?

CVE-2021-41203 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-41203?

Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow.