PT-2021-21079 · Google · Tensorflow
Ryotak
·
Published
2021-06-30
·
Updated
2024-08-04
·
CVE-2021-35958
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
TensorFlow versions prior to 2.5.1
Description:
The issue allows attackers to overwrite arbitrary files via a crafted archive when
tf.keras.utils.get file is used with extract=True. It's noted that the vendor's position is that tf.keras.utils.get file is not intended for untrusted archives.Recommendations:
For versions prior to 2.5.1, as a temporary workaround, consider avoiding the use of
tf.keras.utils.get file with extract=True for untrusted archives until a patch is available. Restrict the use of tf.keras.utils.get file to trusted archives to minimize the risk of exploitation.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tensorflow