CVSS: 7.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37655 – Heap OOB in `ResourceScatterUpdate` in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37655
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a read from outside of bounds of heap allocated data by sending invalid arguments to `tf.raw_ops.ResourceScatterUpdate`. The [implementation](https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/resource_variable_ops.cc#L919-L923) has an incomplete validation of the relationship between the shapes of `indices` and `updates`: instead of checking that the shape of `indices` is a prefix of the shape of `updates` (so that broadcasting can happen), code only checks that the number of elements in these two tensors are in a divisibility relationship. We have patched the issue in GitHub commit 01cff3f986259d661103412a20745928c727326f. The fix will be included in TensorFlow 2.6.0. • https://github.com/tensorflow/tensorflow/commit/01cff3f986259d661103412a20745928c727326f https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7fvx-3jfc-2cpc • CWE-125: Out-of-bounds Read •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37637 – Null pointer dereference in `CompressElement` in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37637
TensorFlow is an end-to-end open source platform for machine learning. It is possible to trigger a null pointer dereference in TensorFlow by passing an invalid input to `tf.raw_ops.CompressElement`. The [implementation](https://github.com/tensorflow/tensorflow/blob/47a06f40411a69c99f381495f490536972152ac0/tensorflow/core/data/compression_utils.cc#L34) was accessing the size of a buffer obtained from the return of a separate function call before validating that said buffer is valid. We have patched the issue in GitHub commit 5dc7f6981fdaf74c8c5be41f393df705841fb7c5. The fix will be included in TensorFlow 2.6.0. • https://github.com/tensorflow/tensorflow/commit/5dc7f6981fdaf74c8c5be41f393df705841fb7c5 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c9qf-r67m-p7cg • CWE-476: NULL Pointer Dereference •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37649 – Null pointer dereference in `UncompressElement` in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37649
TensorFlow is an end-to-end open source platform for machine learning. The code for `tf.raw_ops.UncompressElement` can be made to trigger a null pointer dereference. The [implementation](https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/data/experimental/compression_ops.cc#L50-L53) obtains a pointer to a `CompressedElement` from a `Variant` tensor and then proceeds to dereference it for decompressing. There is no check that the `Variant` tensor contained a `CompressedElement`, so the pointer is actually `nullptr`. We have patched the issue in GitHub commit 7bdf50bb4f5c54a4997c379092888546c97c3ebd. • https://github.com/tensorflow/tensorflow/commit/7bdf50bb4f5c54a4997c379092888546c97c3ebd https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6gv8-p3vj-pxvr • CWE-476: NULL Pointer Dereference •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37647 – Null pointer dereference in `SparseTensorSliceDataset` in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37647
TensorFlow is an end-to-end open source platform for machine learning. When a user does not supply arguments that determine a valid sparse tensor, `tf.raw_ops.SparseTensorSliceDataset` implementation can be made to dereference a null pointer. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L240-L251) has some argument validation but fails to consider the case when either `indices` or `values` are provided for an empty sparse tensor when the other is not. If `indices` is empty, then [code that performs validation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L260-L261) (i.e., checking that the indices are monotonically increasing) results in a null pointer dereference. If `indices` as provided by the user is empty, then `indices` in the C++ code above is backed by an empty `std::vector`, hence calling `indices->dim_size(0)` results in null pointer dereferencing (same as calling `std::vector::at()` on an empty vector). • https://github.com/tensorflow/tensorflow/commit/02cc160e29d20631de3859c6653184e3f876b9d7 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c5x2-p679-95wc • CWE-476: NULL Pointer Dereference •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37643 – Null pointer dereference in `MatrixDiagPartOp` in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37643
TensorFlow is an end-to-end open source platform for machine learning. If a user does not provide a valid padding value to `tf.raw_ops.MatrixDiagPartOp`, then the code triggers a null pointer dereference (if input is empty) or produces invalid behavior, ignoring all values after the first. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/linalg/matrix_diag_op.cc#L89) reads the first value from a tensor buffer without first checking that the tensor has values to read from. We have patched the issue in GitHub commit 482da92095c4d48f8784b1f00dda4f81c28d2988. The fix will be included in TensorFlow 2.6.0. • https://github.com/tensorflow/tensorflow/commit/482da92095c4d48f8784b1f00dda4f81c28d2988 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fcwc-p4fc-c5cc • CWE-476: NULL Pointer Dereference •