CVE-2021-41211 - log back

CVE-2021-41211 created at 06 Nov 2021 00:12:35
Severity
+ High
Remote
+ Local
Type
+ Information disclosure
Description
+ In TensorFlow before version 2.6.1, the shape inference code for QuantizeV2 can trigger a read outside of bounds of heap allocated array. This occurs whenever axis is a negative value less than -1. In this case, we are accessing data before the start of a heap buffer. The code allows axis to be an optional argument (s would contain an error::NOT_FOUND error code). Otherwise, it assumes that axis is a valid index into the dimensions of the input tensor. If axis is less than -1 then this results in a heap OOB read.
References
+ https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cvgx-3v3q-m36c
+ https://github.com/tensorflow/tensorflow/commit/a0d64445116c43cf46a5666bd4eee28e7a82f244
Notes