CVE-2021-29611 LOW

CVE-2021-29611: Incomplete validation in `SparseReshape`

Vendor Tensorflow
Product tensorflow
Weakness CWE-665
Published May 14, 2021
Last update August 3, 2024

CVSS base score

3.6/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseReshape` results in a denial of service based on a `CHECK`-failure. The implementation(https://github.com/tensorflow/tensorflow/blob/e87b51ce05c3eb172065a6ea5f48415854223285/tensorflow/core/kernels/sparse_reshape_op.cc#L40) has no validation that the input arguments specify a valid sparse tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are the only affected versions.

Key dates

02Disclosure timeline

May 14, 2021 CVE published
August 3, 2024 Record updated