CVE-2021-29553 log
Source |
|
Severity | Low |
Remote | No |
Type | Information disclosure |
Description | A security issue has been found in TensorFlow before version 2.4.2. An attacker can read data outside of bounds of heap allocated buffer in `tf.raw_ops.QuantizeAndDequantizeV3`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/11ff7f80667e6490d7b5174aa6bf5e01886e770f/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L237) does not validate the value of user supplied `axis` attribute before using it to index in the array backing the `input` argument. |
Group | Package | Affected | Fixed | Severity | Status | Ticket |
---|---|---|---|---|---|---|
AVG-1962 | tensorflow | 2.4.1-10 | 2.5.0-1 | Critical | Fixed |
References |
---|
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h9px-9vqg-222h https://github.com/tensorflow/tensorflow/commit/99085e8ff02c3763a0ec2263e44daec416f6a387 |