CVE-2021-29515

Description

TensorFlow is an end-to-end open source platform for machine learning. The implementation of `MatrixDiag*` operations(https://github.com/tensorflow/tensorflow/blob/4c4f420e68f1cfaf8f4b6e8e3eb857e9e4c3ff33/tensorflow/core/kernels/linalg/matrix_diag_op.cc#L195-L197) does not validate that the tensor arguments are non-empty. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

How to fix CVE-2021-29515

To remediate CVE-2021-29515, upgrade the affected package to a fixed version below.

• —upgrade to 2.1.4 or later
• —upgrade to 2.1.4 or later
• —upgrade to a7116dd3913c4a4afd2a3a938573aa7c785fdfc6 or later
• —upgrade to a7116dd3913c4a4afd2a3a938573aa7c785fdfc6 or later
• —upgrade to 2.1.4 or later
• —upgrade to a7116dd3913c4a4afd2a3a938573aa7c785fdfc6 or later
• —upgrade to 2.1.4 or later

Is CVE-2021-29515 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

• from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
• from 0, < 2.1.4
• from 0, < a7116dd3913c4a4afd2a3a938573aa7c785fdfc6 | from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
• from 0, < a7116dd3913c4a4afd2a3a938573aa7c785fdfc6 | from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
• from 0, < 2.1.4
• from 0, < a7116dd3913c4a4afd2a3a938573aa7c785fdfc6 | from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
• from 0, < 2.1.4

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-29515
• PATCHgithub.com/tensorflow/tensorflow
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-443.yaml
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-641.yaml