TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.MapStage`. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/map_stage_op.cc#L513) does not check that the `key` input is a valid non-empty tensor. We have patched the issue in GitHub commit d7de67733925de196ec8863a33445b73f9562d1d. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
References
Link | Resource |
---|---|
https://github.com/tensorflow/tensorflow/commit/d7de67733925de196ec8863a33445b73f9562d1d | Patch Third Party Advisory |
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-278g-rq84-9hmg | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Information
Published : 2021-08-12 16:15
Updated : 2021-08-19 07:02
NVD link : CVE-2021-37673
Mitre link : CVE-2021-37673
JSON object : View
CWE
CWE-20
Improper Input Validation
Products Affected
- tensorflow