CVE-2021-29533

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow version 2.4.2 TensorFlow version 2.3.3 TensorFlow version 2.2.3 TensorFlow version 2.1.4

Description: An attacker can trigger a denial of service via a CHECK failure by passing an empty image to tf.raw ops.DrawBoundingBoxes. This is because the implementation uses CHECK * assertions instead of OP REQUIRES to validate user-controlled inputs. The CHECK * macros result in a crash if the condition is false, similar to assert. In this case, height is 0 from the images input, resulting in max box row clamp being negative and the assertion being falsified, followed by aborting program execution.

Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow version 2.4.2, update to a patched version that includes the fix. For TensorFlow version 2.3.3, update to a patched version that includes the fix. For TensorFlow version 2.2.3, update to a patched version that includes the fix. For TensorFlow version 2.1.4, update to a patched version that includes the fix. As a temporary workaround, consider avoiding the use of tf.raw ops.DrawBoundingBoxes with empty images until a patch is available.