CVE-2021-29553

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier

Description An attacker can read data outside of bounds of a heap allocated buffer in tf.raw ops.QuantizeAndDequantizeV3. This issue arises because the implementation does not validate the value of the user-supplied axis attribute before using it to index in the array backing the input argument.

Recommendations For versions prior to 2.5.0, update to TensorFlow 2.5.0 or later. For versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later. For versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later. For versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later. For versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later. As a temporary workaround, consider restricting the use of the tf.raw ops.QuantizeAndDequantizeV3 function until a patch is available. Restrict access to the axis attribute in the tf.raw ops.QuantizeAndDequantizeV3 function to minimize the risk of exploitation.