CVE-2021-29617
Crash in `tf.strings.substr` due to `CHECK`-fail
2.5
LOW
CVSS 3.1
EPSS 0.02%
Description
TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via `CHECK`-fail in `tf.strings.substr` with invalid arguments. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
How to fix CVE-2021-29617
To remediate CVE-2021-29617, upgrade the affected package to a fixed version below.
- —upgrade to 2.1.4 or later
- —upgrade to 2.1.4 or later
- —upgrade to 890f7164b70354c57d40eda52dcdd7658677c09f or later
- —upgrade to 890f7164b70354c57d40eda52dcdd7658677c09f or later
- —upgrade to 2.1.4 or later
- —upgrade to 890f7164b70354c57d40eda52dcdd7658677c09f or later
- —upgrade to 2.1.4 or later
Is CVE-2021-29617 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (7)
- from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
- from 0, < 2.1.4
- from 0, < 890f7164b70354c57d40eda52dcdd7658677c09f | from 0, < 2.2.0rc0, >= 2.2.0, < 2.3.0rc0, >= 2.3.0, < 2.3.4, >= 2.4.0, < 2.4.3
- from 0, < 890f7164b70354c57d40eda52dcdd7658677c09f | from 0, < 2.2.0rc0, >= 2.2.0, < 2.3.0rc0, >= 2.3.0, < 2.3.4, >= 2.4.0, < 2.4.3
- from 0, < 2.1.4
- from 0, < 890f7164b70354c57d40eda52dcdd7658677c09f | from 0, < 2.2.0rc0, >= 2.2.0, < 2.3.0rc0, >= 2.3.0, < 2.3.4, >= 2.4.0, < 2.4.3
- from 0, < 2.1.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | LOW2.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L |