CVE-2021-37663 log

Source
Severity Medium
Remote No
Type Information disclosure
Description
In TensorFlow before version 2.6.0 due to incomplete validation in tf.raw_ops.QuantizeV2, an attacker can trigger undefined behavior via binding a reference to a null pointer or can access data outside the bounds of heap allocated arrays. The implementation has some validation but does not check that min_range and max_range both have the same non-zero number of elements. If axis is provided (i.e., not -1), then validation should check that it is a value in range for the rank of input tensor and then the lengths of min_range and max_range inputs match the axis dimension of the input tensor.
Group Package Affected Fixed Severity Status Ticket
AVG-2292 tensorflow 2.5.0-6 2.5.1-1 Critical Fixed
References
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-g25h-jr74-qp5j
https://github.com/tensorflow/tensorflow/commit/6da6620efad397c85493b8f8667b821403516708