CVE-2021-29617

EUVD-2021-0358
TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via `CHECK`-fail in `tf.strings.substr` with invalid arguments. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.5 LOW
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
GitHub_MCNA
2.5 LOW
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
Affected Products (NVD)
VendorProductVersion
googletensorflow
𝑥
< 2.1.4
googletensorflow
2.2.0 ≤
𝑥
< 2.2.3
googletensorflow
2.3.0 ≤
𝑥
< 2.3.3
googletensorflow
2.4.0 ≤
𝑥
< 2.4.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/tensorflow/issues/46900
https://github.com/tensorflow/issues/46974
https://github.com/tensorflow/tensorflow/commit/890f7164b70354c57d40eda52dcdd7658677c09f
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mmq6-q8r3-48fm
https://github.com/tensorflow/issues/46900
https://github.com/tensorflow/issues/46974
https://github.com/tensorflow/tensorflow/commit/890f7164b70354c57d40eda52dcdd7658677c09f
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mmq6-q8r3-48fm