issues
advisories
todo
stats
log
login

Log

« prev 1 2 … 467 468 469 470 471 472 473 … 2047 2048 next »

CVE-2021-37649 created at 13 Aug 2021 07:58:00

Severity

Low

Remote

Local

Type

+	Denial of service

Description

In TensorFlow before version 2.6.0, the code for tf.raw_ops.UncompressElement can be made to trigger a null pointer dereference. The implementation obtains a pointer to a CompressedElement from a Variant tensor and then proceeds to dereference it for decompressing. There is no check that the Variant tensor contained a CompressedElement, so the pointer is actually nullptr.

References

+	https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6gv8-p3vj-pxvr
+	https://github.com/tensorflow/tensorflow/commit/7bdf50bb4f5c54a4997c379092888546c97c3ebd

Notes

CVE-2021-37650 created at 13 Aug 2021 07:58:00

Severity

High

Remote

Local

Type

+	Denial of service

Description

In TensorFlow before version 2.6.0 the implementation for tf.raw_ops.ExperimentalDatasetToTFRecord and tf.raw_ops.DatasetToTFRecord can trigger heap buffer overflow and segmentation fault. The implementation assumes that all records in the dataset are of string type. However, there is no check for that, and the example given above uses numeric types.

References

+	https://github.com/tensorflow/tensorflow/security/advisories/GHSA-f8h4-7rgh-q2gm
+	https://github.com/tensorflow/tensorflow/commit/e0b6e58c328059829c3eb968136f17aa72b6c876

Notes

CVE-2021-37651 created at 13 Aug 2021 07:58:00

Severity

High

Remote

Local

Type

+	Information disclosure

Description

In TensorFlow before version 2.6.0 the implementation for tf.raw_ops.FractionalAvgPoolGrad can be tricked into accessing data outside of bounds of heap allocated buffers. The implementation does not validate that the input tensor is non-empty. Thus, code constructs an empty EigenDoubleMatrixMap and then accesses this buffer with indices that are outside of the empty area.

References

+	https://github.com/tensorflow/tensorflow/security/advisories/GHSA-hpv4-7p9c-mvfr
+	https://github.com/tensorflow/tensorflow/commit/0f931751fb20f565c4e94aa6df58d54a003cdb30

Notes

CVE-2021-37652 created at 13 Aug 2021 07:58:00

Severity

High

Remote

Local

Type

+	Arbitrary code execution

Description

In TensorFlow before version 2.6.0 the implementation for tf.raw_ops.BoostedTreesCreateEnsemble can result in a use after free error if an attacker supplies specially crafted arguments. The implementation uses a reference counted resource and decrements the refcount if the initialization fails, as it should. However, when the code was written, the resource was represented as a naked pointer but later refactoring has changed it to be a smart pointer. Thus, when the pointer leaves the scope, a subsequent free-ing of the resource occurs, but this fails to take into account that the refcount has already reached 0, thus the resource has been already freed. During this double-free process, members of the resource object are accessed for cleanup but they are invalid as the entire resource has been freed.

References

+	https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m7fm-4jfh-jrg6
+	https://github.com/tensorflow/tensorflow/commit/5ecec9c6fbdbc6be03295685190a45e7eee726ab

Notes

CVE-2021-37653 created at 13 Aug 2021 07:58:00

Severity

Low

Remote

Local

Type

+	Denial of service

Description

+	In TensorFlow before version 2.6.0 an attacker can trigger a crash via a floating point exception in tf.raw_ops.ResourceGather. The implementation computes the value of a value, batch_size, and then divides by it without checking that this value is not 0.

References

+	https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qjj8-32p7-h289
+	https://github.com/tensorflow/tensorflow/commit/ac117ee8a8ea57b73d34665cdf00ef3303bc0b11

Notes

CVE-2021-37654 created at 13 Aug 2021 07:58:00

Severity

High

Remote

Local

Type

+	Information disclosure

Description

In TensorFlow before version 2.6.0 an attacker can trigger a crash via a CHECK-fail in debug builds of TensorFlow using tf.raw_ops.ResourceGather or a read from outside the bounds of heap allocated data in the same API in a release build. The implementation does not check that the batch_dims value that the user supplies is less than the rank of the input tensor. Since the implementation uses several for loops over the dimensions of tensor, this results in reading data from outside the bounds of heap allocated buffer backing the tensor.

References

+	https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2r8p-fg3c-wcj4
+	https://github.com/tensorflow/tensorflow/commit/bc9c546ce7015c57c2f15c168b3d9201de679a1d

Notes

CVE-2021-37655 created at 13 Aug 2021 07:58:00

Severity

High

Remote

Local

Type

+	Information disclosure

Description

In TensorFlow before version 2.6.0 an attacker can trigger a read from outside of bounds of heap allocated data by sending invalid arguments to tf.raw_ops.ResourceScatterUpdate. The implementation has an incomplete validation of the relationship between the shapes of indices and updates: instead of checking that the shape of indices is a prefix of the shape of updates (so that broadcasting can happen), code only checks that the number of elements in these two tensors are in a divisibility relationship.

References

+	https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7fvx-3jfc-2cpc
+	https://github.com/tensorflow/tensorflow/commit/01cff3f986259d661103412a20745928c727326f

Notes

CVE-2021-37656 created at 13 Aug 2021 07:58:00

Severity

Low

Remote

Local

Type

+	Insufficient validation

Description

+	In TensorFlow before version 2.6.0 an attacker can cause undefined behavior via binding a reference to null pointer in tf.raw_ops.RaggedTensorToSparse. The implementation has an incomplete validation of the splits values: it does not check that they are in increasing order.

References

+	https://github.com/tensorflow/tensorflow/security/advisories/GHSA-4xfp-4pfp-89wg
+	https://github.com/tensorflow/tensorflow/commit/1071f554dbd09f7e101324d366eec5f4fe5a3ece

Notes

CVE-2021-37657 created at 13 Aug 2021 07:58:00

Severity

Low

Remote

Local

Type

+	Insufficient validation

Description

In TensorFlow before version 2.6.0 an attacker can cause undefined behavior via binding a reference to null pointer in all operations of type tf.raw_ops.MatrixDiagV*. The implementation has incomplete validation that the value of k is a valid tensor. There is a check that this value is either a scalar or a vector, but there is no check for the number of elements. If this is an empty tensor, then code that accesses the first element of the tensor is wrong.

References

+	https://github.com/tensorflow/tensorflow/security/advisories/GHSA-5xwc-mrhx-5g3m
+	https://github.com/tensorflow/tensorflow/commit/f2a673bd34f0d64b8e40a551ac78989d16daad09

Notes

CVE-2021-37658 created at 13 Aug 2021 07:57:59

Severity

Low

Remote

Local

Type

+	Information disclosure

Description

In TensorFlow before version 2.6.0 an attacker can cause undefined behavior via binding a reference to null pointer in all operations of type tf.raw_ops.MatrixSetDiagV*. The implementation has incomplete validation that the value of k is a valid tensor. There is a check that this value is either a scalar or a vector, but there is no check for the number of elements. If this is an empty tensor, then code that accesses the first element of the tensor is wrong.

References

+	https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6p5r-g9mq-ggh2
+	https://github.com/tensorflow/tensorflow/commit/ff8894044dfae5568ecbf2ed514c1a37dc394f1b

Notes