CVE-2021-41206 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2021-41206

CVE-2021-41206

November 05, 2021

TensorFlow is an open source platform for machine learning. In affected versions several TensorFlow operations are missing validation for the shapes of the tensor arguments involved in the call. Depending on the API, this can result in undefined behavior and segfault or `CHECK`-fail related crashes but in some scenarios writes and reads from heap populated arrays are also possible. We have discovered these issues internally via tooling while working on improving/testing GPU op determinism. As such, we don't have reproducers and there will be multiple fixes for these issues. These fixes will be included in TensorFlow 2.7.0. We will also cherrypick these commits on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Affected Packages

tensorflow-gpu (PYTHON):

Affected version(s) >=0.12.0rc0 <2.4.4

Fix Suggestion:

Update to version 2.4.4

tensorflow-gpu (PYTHON):

Affected version(s) >=2.5.0 <2.5.2

Fix Suggestion:

Update to version 2.5.2

tensorflow (PYTHON):

Affected version(s) >=2.5.0 <2.5.2

Fix Suggestion:

Update to version 2.5.2

tensorflow (PYTHON):

Affected version(s) =2.6.0 <2.6.1

Fix Suggestion:

Update to version 2.6.1

tensorflow-cpu (PYTHON):

Affected version(s) =2.6.0 <2.6.1

Fix Suggestion:

Update to version 2.6.1

tensorflow-cpu (PYTHON):

Affected version(s) >=2.5.0 <2.5.2

Fix Suggestion:

Update to version 2.5.2

tensorflow (PYTHON):

Affected version(s) >=0.11.0rc2 <2.4.4

Fix Suggestion:

Update to version 2.4.4

tensorflow-cpu (PYTHON):

Affected version(s) >=0.0.0 <2.4.4

Fix Suggestion:

Update to version 2.4.4

tensorflow-gpu (PYTHON):

Affected version(s) =2.6.0 <2.6.1

Fix Suggestion:

Update to version 2.6.1

Additional Notes

The description of this vulnerability differs from MITRE.

Related Resources (12)

https://github.com/tensorflow/tensorflow/commit/4dddb2fd0b01cdd196101afbba6518658a2c9e07

https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-847.yaml

https://github.com/tensorflow/tensorflow

https://github.com/tensorflow/tensorflow/commit/579261dcd446385831fe4f7457d802a59685121d

https://github.com/tensorflow/tensorflow/security/advisories/GHSA-pgcq-h79j-2f69

https://github.com/tensorflow/tensorflow/commit/da4aad5946be30e5f049920fa076e1f7ef021261

https://github.com/tensorflow/tensorflow/commit/4d74d8a00b07441cba090a02e0dd9ed385145bf4

https://github.com/tensorflow/tensorflow/commit/e7f497570abb6b4ae5af4970620cd880e4c0c904

https://github.com/tensorflow/tensorflow/commit/68422b215e618df5ad375bcdc6d2052e9fd3080a

https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-843.yaml

https://nvd.nist.gov/vuln/detail/CVE-2021-41206

https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-845.yaml

Do you need more information?

CVSS v4

Base Score:

7.3

Attack Vector

LOCAL

Attack Complexity

HIGH

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

CVSS v2

Base Score:

4.6

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

Weakness Type (CWE)

Improper Validation of Integrity Check Value

CWE-354

EPSS

Base Score:

0.01

Products

Solutions

Resources

Company

Compare

Developer Tools