CVSS: 7.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37635 – Heap out of bounds access in sparse reduction operations in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37635
TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of sparse reduction operations in TensorFlow can trigger accesses outside of bounds of heap allocated data. The [implementation](https://github.com/tensorflow/tensorflow/blob/a1bc56203f21a5a4995311825ffaba7a670d7747/tensorflow/core/kernels/sparse_reduce_op.cc#L217-L228) fails to validate that each reduction group does not overflow and that each corresponding index does not point to outside the bounds of the input tensor. We have patched the issue in GitHub commit 87158f43f05f2720a374f3e6d22a7aaa3a33f750. The fix will be included in TensorFlow 2.6.0. • https://github.com/tensorflow/tensorflow/commit/87158f43f05f2720a374f3e6d22a7aaa3a33f750 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cgfm-62j4-v4rf • CWE-125: Out-of-bounds Read •
CVSS: 7.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37664 – Heap OOB in boosted trees in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37664
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to `BoostedTreesSparseCalculateBestFeatureSplit`. The [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/boosted_trees/stats_ops.cc) needs to validate that each value in `stats_summary_indices` is in range. We have patched the issue in GitHub commit e84c975313e8e8e38bb2ea118196369c45c51378. The fix will be included in TensorFlow 2.6.0. • https://github.com/tensorflow/tensorflow/commit/e84c975313e8e8e38bb2ea118196369c45c51378 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-r4c4-5fpq-56wg • CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37659 – Out of bounds read via null pointer dereference in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37659
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in all binary cwise operations that don't require broadcasting (e.g., gradients of binary cwise operations). The [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/cwise_ops_common.h#L264) assumes that the two inputs have exactly the same number of elements but does not check that. Hence, when the eigen functor executes it triggers heap OOB reads and undefined behavior due to binding to nullptr. We have patched the issue in GitHub commit 93f428fd1768df147171ed674fee1fc5ab8309ec. • https://github.com/tensorflow/tensorflow/commit/93f428fd1768df147171ed674fee1fc5ab8309ec https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q3g3-h9r4-prrc • CWE-125: Out-of-bounds Read CWE-476: NULL Pointer Dereference •
CVSS: 7.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37655 – Heap OOB in `ResourceScatterUpdate` in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37655
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a read from outside of bounds of heap allocated data by sending invalid arguments to `tf.raw_ops.ResourceScatterUpdate`. The [implementation](https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/resource_variable_ops.cc#L919-L923) has an incomplete validation of the relationship between the shapes of `indices` and `updates`: instead of checking that the shape of `indices` is a prefix of the shape of `updates` (so that broadcasting can happen), code only checks that the number of elements in these two tensors are in a divisibility relationship. We have patched the issue in GitHub commit 01cff3f986259d661103412a20745928c727326f. The fix will be included in TensorFlow 2.6.0. • https://github.com/tensorflow/tensorflow/commit/01cff3f986259d661103412a20745928c727326f https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7fvx-3jfc-2cpc • CWE-125: Out-of-bounds Read •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37637 – Null pointer dereference in `CompressElement` in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37637
TensorFlow is an end-to-end open source platform for machine learning. It is possible to trigger a null pointer dereference in TensorFlow by passing an invalid input to `tf.raw_ops.CompressElement`. The [implementation](https://github.com/tensorflow/tensorflow/blob/47a06f40411a69c99f381495f490536972152ac0/tensorflow/core/data/compression_utils.cc#L34) was accessing the size of a buffer obtained from the return of a separate function call before validating that said buffer is valid. We have patched the issue in GitHub commit 5dc7f6981fdaf74c8c5be41f393df705841fb7c5. The fix will be included in TensorFlow 2.6.0. • https://github.com/tensorflow/tensorflow/commit/5dc7f6981fdaf74c8c5be41f393df705841fb7c5 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c9qf-r67m-p7cg • CWE-476: NULL Pointer Dereference •