GHSA-7v94-64hj-m82h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7v94-64hj-m82h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-7v94-64hj-m82h/GHSA-7v94-64hj-m82h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7v94-64hj-m82h
- Aliases
- Published
- 2021-11-10T19:02:57Z
- Modified
- 2024-08-29T22:20:45.490900Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- 6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- FPE in `ParallelConcat`
- Details
-
Impact
The implementation of
ParallelConcatmisses some input validation and can produce a division by 0:import tensorflow as tf @tf.function def test(): y = tf.raw_ops.ParallelConcat(values=[['tf']],shape=0) return y test()Patches
We have patched the issue in GitHub commit f2c3931113eaafe9ef558faaddd48e00a6606235.
The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
- References
-
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7v94-64hj-m82h
- https://nvd.nist.gov/vuln/detail/CVE-2021-41207
- https://github.com/tensorflow/tensorflow/commit/9de11bdc2cf1284b2f635419bd3e6bbc7643eb2c
- https://github.com/tensorflow/tensorflow/commit/d11f21bbdfa54f3576ae860fc927bf23c675ebc0
- https://github.com/tensorflow/tensorflow/commit/e67caccea81167402c62977b5c521f2a8b261d6a
- https://github.com/tensorflow/tensorflow/commit/f2c3931113eaafe9ef558faaddd48e00a6606235
- https://github.com/tensorflow/tensorflow
- https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/inplace_ops.cc#L72-L97
Affected packages
PyPI / tensorflow
Package
- Name
- tensorflow
- View open source insights on deps.dev
- Purl
- pkg:pypi/tensorflow
PyPI / tensorflow
Package
- Name
- tensorflow
- View open source insights on deps.dev
- Purl
- pkg:pypi/tensorflow
PyPI / tensorflow
Package
- Name
- tensorflow
- View open source insights on deps.dev
- Purl
- pkg:pypi/tensorflow
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.4.4
Affected versions
0.*
0.12.0
0.12.1
1.*
1.0.0
1.0.1
1.1.0
1.2.0
1.2.1
1.3.0
1.4.0
1.4.1
1.5.0
1.5.1
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.10.0
1.10.1
1.11.0
1.12.0
1.12.2
1.12.3
1.13.1
1.13.2
1.14.0
1.15.0
1.15.2
1.15.3
1.15.4
1.15.5
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0
2.2.1
2.2.2
2.2.3
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.4.0
2.4.1
2.4.2
2.4.3