CVE-2021-29615
Stack overflow in `ParseAttrValue` with nested tensors
Description
TensorFlow is an end-to-end open source platform for machine learning. The implementation of `ParseAttrValue`(https://github.com/tensorflow/tensorflow/blob/c22d88d6ff33031aa113e48aa3fc9aa74ed79595/tensorflow/core/framework/attr_value_util.cc#L397-L453) can be tricked into stack overflow due to recursion by giving in a specially crafted input. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
How to fix CVE-2021-29615
To remediate CVE-2021-29615, upgrade the affected package to a fixed version below.
- —upgrade to 2.1.4 or later
- —upgrade to 2.1.4 or later
- —upgrade to e07e1c3d26492c06f078c7e5bf2d138043e199c1 or later
- —upgrade to e07e1c3d26492c06f078c7e5bf2d138043e199c1 or later
- —upgrade to 2.1.4 or later
- —upgrade to e07e1c3d26492c06f078c7e5bf2d138043e199c1 or later
- —upgrade to 2.1.4 or later
Is CVE-2021-29615 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (7)
- from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
- from 0, < 2.1.4
- from 0, < e07e1c3d26492c06f078c7e5bf2d138043e199c1 | from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
- from 0, < e07e1c3d26492c06f078c7e5bf2d138043e199c1 | from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
- from 0, < 2.1.4
- from 0, < e07e1c3d26492c06f078c7e5bf2d138043e199c1 | from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
- from 0, < 2.1.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | LOW2.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L |