Vulnerability Details : CVE-2021-29619
TensorFlow is an end-to-end open source platform for machine learning. Passing invalid arguments (e.g., discovered via fuzzing) to `tf.raw_ops.SparseCountSparseOutput` results in segfault. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
Exploit prediction scoring system (EPSS) score for CVE-2021-29619
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 11 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-29619
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
2.1
|
LOW | AV:L/AC:L/Au:N/C:N/I:N/A:P |
3.9
|
2.9
|
nvd@nist.gov |
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
nvd@nist.gov |
|
2.5
|
LOW | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L |
1.0
|
1.4
|
security-advisories@github.com |
CWE ids for CVE-2021-29619
-
The product does not handle or incorrectly handles an exceptional condition.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-29619
-
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wvjw-p9f5-vq28
Segfault in `tf.raw_ops.SparseCountSparseOutput` · Advisory · tensorflow/tensorflow · GitHubExploit;Patch;Third Party Advisory
-
https://github.com/tensorflow/tensorflow/commit/82e6203221865de4008445b13c69b6826d2b28d9
Fix segfaults in `tf.raw_ops.SparseCountSparseOutput`. · tensorflow/tensorflow@82e6203 · GitHubPatch;Third Party Advisory
Products affected by CVE-2021-29619
- cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*