CVE-2021-37673 Information

Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a denial of service via a CHECK-fail in tf.raw_ops.MapStage. The implementation does not check that the key input is a valid non-empty tensor. We have patched the issue in GitHub commit d7de67733925de196ec8863a33445b73f9562d1d. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1 TensorFlow 2.4.3 and TensorFlow 2.3.4 as these are also affected and still in supported range.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Reference

https://github.com/tensorflow/tensorflow/commit/d7de67733925de196ec8863a33445b73f9562d1d https://github.com/tensorflow/tensorflow/security/advisories/GHSA-278g-rq84-9hmg

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

5.5