CVE-2021-37678 log

Severity Critical
Remote No
Type Arbitrary code execution
In TensorFlow before version 2.6.0 TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The implementation uses yaml.unsafe_load which can perform arbitrary code execution on the input. Given that YAML format support requires a significant amount of work, it has been removed it for now.
Group Package Affected Fixed Severity Status Ticket
AVG-2292 tensorflow 2.5.0-6 2.5.1-1 Critical Fixed