CVE-2021-37686 - log back

CVE-2021-37686 created at 13 Aug 2021 07:57:56
Severity
+ High
Remote
+ Local
Type
+ Denial of service
Description
+ In TensorFlow before version 2.6.0 the strided slice implementation in TFLite has a logic bug which can allow an attacker to trigger an infinite loop. This arises from newly introduced support for ellipsis in axis definition. An attacker can craft a model such that ellipsis_end_idx is smaller than i (e.g., always negative). In this case, the inner loop does not increase i and the continue statement causes execution to skip over the preincrement at the end of the outer loop.
References
+ https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mhhc-q96p-mfm9
+ https://github.com/tensorflow/tensorflow/commit/dfa22b348b70bb89d6d6ec0ff53973bacb4f4695
Notes