CVE-2021-29582

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier

Description Due to lack of validation in tf.raw ops.Dequantize, an attacker can trigger a read from outside of bounds of heap allocated data. The implementation accesses the min range and max range tensors in parallel but fails to check that they have the same shape.

Recommendations For versions prior to 2.5.0, update to TensorFlow 2.5.0 or later. For versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later. For versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later. For versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later. For versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later. As a temporary workaround, consider disabling the tf.raw ops.Dequantize function until a patch is available. Restrict access to the min range and max range tensors to minimize the risk of exploitation.