AI Threat Alert
CVE-2021-29604
MEDIUMTensorFlow is an end-to-end open source platform for machine learning. The TFLite implementation of hashtable lookup is vulnerable to a division by zero...
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| tensorflow | pip | — | No patch |
| tensorflow | pip | — | No patch |
| tensorflow | pip | — | No patch |
| tensorflow | pip | — | No patch |
Severity & Risk
Recommended Action
No patch available
Monitor for updates. Consider compensating controls or temporary mitigations.
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
TensorFlow is an end-to-end open source platform for machine learning. The TFLite implementation of hashtable lookup is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/1a8e885b864c818198a5b2c0cbbeca5a1e833bc8/tensorflow/lite/kernels/hashtable_lookup.cc#L114-L115) An attacker can craft a model such that `values`'s first dimension would be 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References
- github.com/tensorflow/tensorflow/commit/5117e0851348065ed59c991562c0ec80d9193db2 Patch 3rd Party
- github.com/tensorflow/tensorflow/security/advisories/GHSA-8rm6-75mf-7r7r Exploit Patch 3rd Party
- github.com/tensorflow/tensorflow/commit/5117e0851348065ed59c991562c0ec80d9193db2 Patch 3rd Party
- github.com/tensorflow/tensorflow/security/advisories/GHSA-8rm6-75mf-7r7r Exploit Patch 3rd Party