CVE-2021-29590 log

Source
Severity Low
Remote No
Type Information disclosure
Description
A security issue has been found in TensorFlow before version 2.4.2. The implementations of the `Minimum` and `Maximum` TFLite operators can be used to read data outside of bounds of heap allocated objects, if any of the two input tensor arguments are empty. This is because the broadcasting implementation(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/internal/reference/maximum_minimum.h#L52-L56) indexes in both tensors with the same index but does not validate that the index is within bounds.
Group Package Affected Fixed Severity Status Ticket
AVG-1962 tensorflow 2.4.1-10 2.5.0-1 Critical Fixed
References
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-24x6-8c7m-hv3f
https://github.com/tensorflow/tensorflow/commit/953f28dca13c92839ba389c055587cfe6c723578