CVE-2021-41208 Information

Description

TensorFlow is an open source platform for machine learning. In affected versions the code for boosted trees in TensorFlow is still missing validation. As a result attackers can trigger denial of service (via dereferencing nullptrs or via CHECK-failures) as well as abuse undefined behavior (binding references to nullptrs). An attacker can also read and write from heap buffers depending on the API that gets used and the arguments that are passed to the call. Given that the boosted trees implementation in TensorFlow is unmaintained it is recommend to no longer use these APIs. We will deprecate TensorFlow’s boosted trees APIs in subsequent releases. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1 TensorFlow 2.5.2 and TensorFlow 2.4.4 as these are also affected and still in supported range.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/tensorflow/tensorflow/commit/5c8c9a8bfe750f9743d0c859bae112060b216f5c https://github.com/tensorflow/tensorflow/security/advisories/GHSA-57wx-m983-2f88

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8