CVE-2021-41228 — OS Command Injection in Tensorflow

CWE-78 — OS Command Injection CWE-94 — Code Injection7 documents5 sources

Severity

7.8HIGHNVD

CNA7.5GHSA7.5

EPSS

0.0%

top 88.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedNov 5

Latest updateMay 24

Description

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's `saved_model_cli` tool is vulnerable to a code injection as it calls `eval` on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given that the tool is always run manually, the impact of this is not severe. We have patched this by adding a `safe` flag which defaults to `True` and an explicit warning for users. The fix will be incl…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDgoogle/tensorflow2.4.0 — 2.4.4+3

▶CVEListV5tensorflow/tensorflow< 2.4.4+2

▶PyPIintel/optimization_for_tensorflow2.5.0 — 2.5.2+4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Code injection in `saved_model_cli` in TensorFlow↗2022-05-24

▶

OSV

Code injection in `saved_model_cli`↗2021-11-10

▶

GHSA

Code injection in `saved_model_cli`↗2021-11-10

▶

OSV

CVE-2021-41228: TensorFlow is an open source platform for machine learning↗2021-11-05

▶

CVEList

Code injection in `saved_model_cli`↗2021-11-05

▶

📋Vendor Advisories

Debian

CVE-2021-41228: tensorflow - TensorFlow is an open source platform for machine learning. In affected versions...↗2021

▶