CVE-2021-29610

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier

Description The validation in tf.raw ops.QuantizeAndDequantizeV2 allows invalid values for the axis argument. The validation uses || to mix two different conditions. If axis < -1, the condition in OP REQUIRES will still be true, but this value of axis results in heap underflow. This allows attackers to read/write to other data on the heap.

Recommendations For TensorFlow versions prior to 2.5.0, update to TensorFlow 2.5.0 or later. For TensorFlow versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later. For TensorFlow versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later. For TensorFlow versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later. For TensorFlow versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later. As a temporary workaround, consider restricting the use of the tf.raw ops.QuantizeAndDequantizeV2 function until a patch is available. Avoid using the axis argument with values less than -1 in the affected API endpoint until the issue is resolved.