CVE-2021-35958 — Path Traversal in Google Tensorflow

CWE-22 — Path Traversal CWE-668 — Resource Exposure9 documents5 sources

Severity

9.1CRITICALNVD

OSV5.5

EPSS

1.1%

top 22.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Google Tensorflow

Timeline

PublishedJun 30

Latest updateMay 2

Description

TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a crafted archive when tf.keras.utils.get_file is used with extract=True. NOTE: the vendor's position is that tf.keras.utils.get_file is not intended for untrusted archives

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

▶NVDgoogle/tensorflow2.5.0

▶Ubuntulinux/linux_kernel< 5.4.0-214.234

🔴Vulnerability Details

OSV

linux-xilinx-zynqmp vulnerabilities↗2025-05-02

▶

OSV

linux-azure-fips, linux-fips, linux-gcp-fips vulnerabilities↗2025-04-24

▶

OSV

linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-iot vulnerabilities↗2025-04-24

▶

OSV

linux-aws-fips vulnerabilities↗2025-04-24

▶

OSV

linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4 vulnerabilities↗2025-04-24

▶

📋Vendor Advisories

Debian

CVE-2021-35958: tensorflow - TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a cra...↗2021

▶