CVE Vulnerability

CVE-2021-41227

TensorFlow is an open source platform for machine learning. In affected versions the `ImmutableConst` operation in TensorFlow can be tricked into reading arbitrary memory contents. This is because the `tstring` TensorFlow string class has a special case for memory mapped strings but the operation itself does not offer any support for this datatype. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

2.1 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

5.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-j8c8-67vp-6mx7 Exploit Patch
https://github.com/tensorflow/tensorflow/commit/3712a2d3455e6ccb924daa5724a3652a86f6b585 Patch Third Party Advisory
https://github.com/tensorflow/tensorflow/commit/1cb6bb6c2a6019417c9adaf9e6843ba75ee2580b Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.7.0:rc1:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.7.0:rc0:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
Information

Published : 2021-11-05 11:15

Updated : 2021-11-10 01:18

NVD link : CVE-2021-41227

Mitre link : CVE-2021-41227

Products Affected
No products.
CWE
CWE-125

Out-of-bounds Read