CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 2CVE-2021-41196 – Crash in `max_pool3d` when size argument is 0 or negative
https://notcve.org/view.php?id=CVE-2021-41196
TensorFlow is an open source platform for machine learning. In affected versions the Keras pooling layers can trigger a segfault if the size of the pool is 0 or if a dimension is negative. This is due to the TensorFlow's implementation of pooling operations where the values in the sliding window are not checked to be strictly positive. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/commit/12b1ff82b3f26ff8de17e58703231d5a02ef1b8b https://github.com/tensorflow/tensorflow/issues/51936 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m539-j985-hcr8 • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 1CVE-2021-41195 – Crash in `tf.math.segment_*` operations
https://notcve.org/view.php?id=CVE-2021-41195
TensorFlow is an open source platform for machine learning. In affected versions the implementation of `tf.math.segment_*` operations results in a `CHECK`-fail related abort (and denial of service) if a segment id in `segment_ids` is large. This is similar to CVE-2021-29584 (and similar other reported vulnerabilities in TensorFlow, localized to specific APIs): the implementation (both on CPU and GPU) computes the output shape using `AddDim`. However, if the number of elements in the tensor overflows an `int64_t` value, `AddDim` results in a `CHECK` failure which provokes a `std::abort`. Instead, code should use `AddDimWithStatus`. • https://github.com/tensorflow/tensorflow/commit/e9c81c1e1a9cd8dd31f4e83676cab61b60658429 https://github.com/tensorflow/tensorflow/issues/46888 https://github.com/tensorflow/tensorflow/pull/51733 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cq76-mxrc-vchh • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 2CVE-2021-35958
https://notcve.org/view.php?id=CVE-2021-35958
TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a crafted archive when tf.keras.utils.get_file is used with extract=True. NOTE: the vendor's position is that tf.keras.utils.get_file is not intended for untrusted archives ** EN DISPUTA ** TensorFlow versiones hasta 2.5.0, permite a atacantes sobrescribir archivos arbitrarios por medio de un archivo diseñado cuando se usa la función tf.keras.utils.get_file con extract=True. NOTA: la posición del proveedor es que la función tf.keras.utils.get_file no está pensado para archivos no confiables • https://github.com/miguelc49/CVE-2021-35958-2 https://github.com/miguelc49/CVE-2021-35958-1 https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall https://github.com/tensorflow/tensorflow/blob/b8cad4c631096a34461ff8a07840d5f4d123ce32/tensorflow/python/keras/README.md https://github.com/tensorflow/tensorflow/blob/b8cad4c631096a34461ff8a07840d5f4d123ce32/tensorflow/python/keras/utils/data_utils.py#L137 https://keras.io/api https://vuln.ryotak.me/advisories/52 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2021-29513 – Type confusion during tensor casts lead to dereferencing null pointers
https://notcve.org/view.php?id=CVE-2021-29513
TensorFlow is an end-to-end open source platform for machine learning. Calling TF operations with tensors of non-numeric types when the operations expect numeric tensors result in null pointer dereferences. The conversion from Python array to C++ array(https://github.com/tensorflow/tensorflow/blob/ff70c47a396ef1e3cb73c90513da4f5cb71bebba/tensorflow/python/lib/core/ndarray_tensor.cc#L113-L169) is vulnerable to a type confusion. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/commit/030af767d357d1b4088c4a25c72cb3906abac489 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-452g-f7fp-9jf7 • CWE-476: NULL Pointer Dereference CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2021-29515 – Reference binding to null pointer in `MatrixDiag*` ops
https://notcve.org/view.php?id=CVE-2021-29515
TensorFlow is an end-to-end open source platform for machine learning. The implementation of `MatrixDiag*` operations(https://github.com/tensorflow/tensorflow/blob/4c4f420e68f1cfaf8f4b6e8e3eb857e9e4c3ff33/tensorflow/core/kernels/linalg/matrix_diag_op.cc#L195-L197) does not validate that the tensor arguments are non-empty. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range. TensorFlow es una plataforma de código abierto de extremo a extremo para el aprendizaje automático. • https://github.com/tensorflow/tensorflow/commit/a7116dd3913c4a4afd2a3a938573aa7c785fdfc6 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-hc6c-75p4-hmq4 • CWE-476: NULL Pointer Dereference •