CVE-2021-29619
Segfault in `tf.raw_ops.SparseCountSparseOutput`
2.5
LOW
CVSS 3.1
EPSS 0.01%
Description
TensorFlow is an end-to-end open source platform for machine learning. Passing invalid arguments (e.g., discovered via fuzzing) to `tf.raw_ops.SparseCountSparseOutput` results in segfault. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
How to fix CVE-2021-29619
To remediate CVE-2021-29619, upgrade the affected package to a fixed version below.
- —upgrade to 2.1.4 or later
- —upgrade to 2.1.4 or later
- —upgrade to 82e6203221865de4008445b13c69b6826d2b28d9 or later
- —upgrade to 82e6203221865de4008445b13c69b6826d2b28d9 or later
- —upgrade to 2.1.4 or later
- —upgrade to 82e6203221865de4008445b13c69b6826d2b28d9 or later
- —upgrade to 2.1.4 or later
Is CVE-2021-29619 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (7)
- from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
- from 0, < 2.1.4
- from 0, < 82e6203221865de4008445b13c69b6826d2b28d9 | from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
- from 0, < 82e6203221865de4008445b13c69b6826d2b28d9 | from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
- from 0, < 2.1.4
- from 0, < 82e6203221865de4008445b13c69b6826d2b28d9 | from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
- from 0, < 2.1.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | LOW2.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L |