CVE-2021-29593

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier

Description The implementation of the BatchToSpaceNd TFLite operator is vulnerable to a division by zero error. An attacker can craft a model such that one dimension of the block input is 0, resulting in a corresponding value of 0 in block shape. This can lead to a division by zero error in the output batch size = output batch size / block shape[dim] line.

Recommendations For versions prior to 2.5.0, update to TensorFlow 2.5.0 or later to resolve the issue. For versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later to resolve the issue. For versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later to resolve the issue. For versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later to resolve the issue. For versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the BatchToSpaceNd TFLite operator until a patch is available.