CVE-2021-29590 — Out-of-bounds Read in Tensorflow

CWE-125 — Out-of-bounds Read6 documents5 sources

Severity

7.1HIGHNVD

CNA2.5

EPSS

0.0%

top 95.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedMay 14

Latest updateMay 21

Description

TensorFlow is an end-to-end open source platform for machine learning. The implementations of the `Minimum` and `Maximum` TFLite operators can be used to read data outside of bounds of heap allocated objects, if any of the two input tensor arguments are empty. This is because the broadcasting implementation(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/internal/reference/maximum_minimum.h#L52-L56) indexes in both tensors with the s…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages3 packages

▶NVDgoogle/tensorflow2.2.0 — 2.2.3+3

▶CVEListV5tensorflow/tensorflow< 2.1.4+3

▶PyPIintel/optimization_for_tensorflow2.2.0 — 2.2.3+4

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Heap OOB read in TFLite's implementation of `Minimum` or `Maximum`↗2021-05-21

▶

OSV

Heap OOB read in TFLite's implementation of `Minimum` or `Maximum`↗2021-05-21

▶

OSV

CVE-2021-29590: TensorFlow is an end-to-end open source platform for machine learning↗2021-05-14

▶

CVEList

Heap OOB read in TFLite's implementation of `Minimum` or `Maximum`↗2021-05-14

▶

📋Vendor Advisories

Debian

CVE-2021-29590: tensorflow - TensorFlow is an end-to-end open source platform for machine learning. The imple...↗2021

▶