PT-2021-23175 · Google · Tensorflow
Mihaimaruseac
·
Published
2021-11-05
·
Updated
2024-03-06
·
CVE-2021-41203
CVSS v4.0
8.5
High
| Vector | AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
TensorFlow versions prior to 2.7.0
TensorFlow versions 2.6.1 and earlier
TensorFlow versions 2.5.2 and earlier
TensorFlow versions 2.4.4 and earlier
Description
An attacker can trigger undefined behavior, integer overflows, segfaults and
CHECK-fail crashes if they can change saved checkpoints from outside of TensorFlow. This is because the checkpoints loading infrastructure is missing validation for invalid file formats.Recommendations
For versions prior to 2.7.0, update to TensorFlow 2.7.0 or later.
For versions 2.6.1 and earlier, update to TensorFlow 2.6.1 or later.
For versions 2.5.2 and earlier, update to TensorFlow 2.5.2 or later.
For versions 2.4.4 and earlier, update to TensorFlow 2.4.4 or later.
As a temporary workaround, consider restricting access to the checkpoints loading infrastructure until a patch is available.
Fix
Integer Overflow
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Tensorflow