CVE-2021-29618

Description

TensorFlow is an end-to-end open source platform for machine learning. Passing a complex argument to `tf.transpose` at the same time as passing `conjugate=True` argument results in a crash. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

How to fix CVE-2021-29618

To remediate CVE-2021-29618, upgrade the affected package to a fixed version below.

• —upgrade to 2.1.4 or later
• —upgrade to 2.1.4 or later
• —upgrade to 1dc6a7ce6e0b3e27a7ae650bfc05b195ca793f88 or later
• —upgrade to 1dc6a7ce6e0b3e27a7ae650bfc05b195ca793f88 or later
• —upgrade to 2.1.4 or later
• —upgrade to 1dc6a7ce6e0b3e27a7ae650bfc05b195ca793f88 or later
• —upgrade to 2.1.4 or later

Is CVE-2021-29618 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

• from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
• from 0, < 2.1.4
• from 0, < 1dc6a7ce6e0b3e27a7ae650bfc05b195ca793f88 | from 0, < 2.2.0rc0, >= 2.2.0, < 2.3.0rc0, >= 2.3.0, < 2.3.4, >= 2.4.0, < 2.4.3
• from 0, < 1dc6a7ce6e0b3e27a7ae650bfc05b195ca793f88 | from 0, < 2.2.0rc0, >= 2.2.0, < 2.3.0rc0, >= 2.3.0, < 2.3.4, >= 2.4.0, < 2.4.3
• from 0, < 2.1.4
• from 0, < 1dc6a7ce6e0b3e27a7ae650bfc05b195ca793f88 | from 0, < 2.2.0rc0, >= 2.2.0, < 2.3.0rc0, >= 2.3.0, < 2.3.4, >= 2.4.0, < 2.4.3
• from 0, < 2.1.4

CVSS scores

References (9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-29618
• PATCHgithub.com/tensorflow/tensorflow
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-546.yaml
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-744.yaml