CVE-2021-37680 – Division by zero in TFLite in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37680
TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of fully connected layers in TFLite is [vulnerable to a division by zero error](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/fully_connected.cc#L226). We have patched the issue in GitHub commit 718721986aa137691ee23f03638867151f74935f. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/commit/718721986aa137691ee23f03638867151f74935f https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cfpj-3q4c-jhvr • CWE-369: Divide By Zero •
CVE-2021-37675 – Division by 0 in most convolution operators in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37675
TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/framework/common_shape_fns.cc#L577) is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. • https://github.com/tensorflow/tensorflow/commit/8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c8h-2mv3-49ww • CWE-369: Divide By Zero •
CVE-2021-37676 – Reference binding to nullptr in shape inference in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37676
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in `tf.raw_ops.SparseFillEmptyRows`. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/ops/sparse_ops.cc#L608-L634) does not validate that the input arguments are not empty tensors. We have patched the issue in GitHub commit 578e634b4f1c1c684d4b4294f9e5281b2133b3ed. The fix will be included in TensorFlow 2.6.0. • https://github.com/tensorflow/tensorflow/commit/578e634b4f1c1c684d4b4294f9e5281b2133b3ed https://github.com/tensorflow/tensorflow/security/advisories/GHSA-v768-w7m9-2vmm • CWE-824: Access of Uninitialized Pointer •
CVE-2021-37671 – Reference binding to nullptr in map operations in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37671
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in `tf.raw_ops.Map*` and `tf.raw_ops.OrderedMap*` operations. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/map_stage_op.cc#L222-L248) has a check in place to ensure that `indices` is in ascending order, but does not check that `indices` is not empty. We have patched the issue in GitHub commit 532f5c5a547126c634fefd43bbad1dc6417678ac. The fix will be included in TensorFlow 2.6.0. • https://github.com/tensorflow/tensorflow/commit/532f5c5a547126c634fefd43bbad1dc6417678ac https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qr82-2c78-4m8h • CWE-824: Access of Uninitialized Pointer •
CVE-2021-37666 – Reference binding to nullptr in `RaggedTensorToVariant` in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37666
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in `tf.raw_ops.RaggedTensorToVariant`. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/ragged_tensor_to_variant_op.cc#L129) has an incomplete validation of the splits values, missing the case when the argument would be empty. We have patched the issue in GitHub commit be7a4de6adfbd303ce08be4332554dff70362612. The fix will be included in TensorFlow 2.6.0. • https://github.com/tensorflow/tensorflow/commit/be7a4de6adfbd303ce08be4332554dff70362612 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-w4xf-2pqw-5mq7 • CWE-824: Access of Uninitialized Pointer •