CVE-2021-29530

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier

Description: An attacker can trigger a null pointer dereference by providing an invalid permutation to tf.raw ops.SparseMatrixSparseCholesky. This is because the implementation fails to properly validate the input arguments. The ValidateInputs function is called, but it does not properly handle validation failures, allowing the code to proceed with invalid inputs. The issue can be exploited by providing a specially crafted permutation argument to the tf.raw ops.SparseMatrixSparseCholesky function.

Recommendations: For TensorFlow versions prior to 2.5.0, update to TensorFlow 2.5.0 or later. For TensorFlow versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later. For TensorFlow versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later. For TensorFlow versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later. For TensorFlow versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later. As a temporary workaround, consider avoiding the use of the tf.raw ops.SparseMatrixSparseCholesky function with untrusted input until a patch is available.