CVE-2021-37658 log

Source
Severity Low
Remote No
Type Information disclosure
Description
In TensorFlow before version 2.6.0 an attacker can cause undefined behavior via binding a reference to null pointer in all operations of type tf.raw_ops.MatrixSetDiagV*. The implementation has incomplete validation that the value of k is a valid tensor. There is a check that this value is either a scalar or a vector, but there is no check for the number of elements. If this is an empty tensor, then code that accesses the first element of the tensor is wrong.
Group Package Affected Fixed Severity Status Ticket
AVG-2292 tensorflow 2.5.0-6 2.5.1-1 Critical Fixed
References
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6p5r-g9mq-ggh2
https://github.com/tensorflow/tensorflow/commit/ff8894044dfae5568ecbf2ed514c1a37dc394f1b