CVE-2021-37667

CVSS v4.0

8.5

High

Vector

AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier

Description An attacker can cause undefined behavior via binding a reference to null pointer in tf.raw ops.UnicodeEncode. The implementation reads the first dimension of the input splits tensor before validating that this tensor is not empty.

Recommendations For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later. As a temporary workaround, consider avoiding the use of tf.raw ops.UnicodeEncode until a patch is available.

Fix

Access of Uninitialized Pointer

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-824

Related Identifiers

BIT-TENSORFLOW-2021-37667

CVE-2021-37667

GHSA-W74J-V8XH-3W5H

OPENSUSE-SU-2022:10014-1

OPENSUSE-SU-2024:12116-1

PYSEC-2021-289

PYSEC-2021-580

PYSEC-2021-778

Affected Products

Tensorflow

CVE-2021-37667

Weakness Enumeration

Related Identifiers

Affected Products

References · 86