CVE-2021-37672

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier

Description An attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to tf.raw ops.SdcaOptimizerV2. The implementation does not check that the length of example labels is the same as the number of examples.

Recommendations For TensorFlow versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For TensorFlow versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later. For TensorFlow versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later. For TensorFlow versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later. As a temporary workaround, consider restricting the use of tf.raw ops.SdcaOptimizerV2 until a patch is available. Avoid using the example labels parameter in the affected API endpoint until the issue is resolved.