CVE-2021-29519

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow version 2.4.2 TensorFlow version 2.3.3 TensorFlow version 2.2.3 TensorFlow version 2.1.4

Description: The API of tf.raw ops.SparseCross allows combinations which would result in a CHECK-failure and denial of service. This is because the implementation is tricked to consider a tensor of type tstring which in fact contains integral elements. Fixing the type confusion by preventing mixing DT STRING and DT INT64 types solves this issue.

Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later to resolve the issue. For TensorFlow version 2.4.2, apply the cherrypicked commit to resolve the issue. For TensorFlow version 2.3.3, apply the cherrypicked commit to resolve the issue. For TensorFlow version 2.2.3, apply the cherrypicked commit to resolve the issue. For TensorFlow version 2.1.4, apply the cherrypicked commit to resolve the issue. As a temporary workaround, consider restricting the use of the tf.raw ops.SparseCross function until a patch is available.