Vulnerability Details : CVE-2021-41205
TensorFlow is an open source platform for machine learning. In affected versions the shape inference functions for the `QuantizeAndDequantizeV*` operations can trigger a read outside of bounds of heap allocated array. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.
Exploit prediction scoring system (EPSS) score for CVE-2021-41205
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 10 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-41205
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
3.6
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:P |
3.9
|
4.9
|
nvd@nist.gov |
|
7.1
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
1.8
|
5.2
|
nvd@nist.gov |
|
7.1
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
1.8
|
5.2
|
security-advisories@github.com |
CWE ids for CVE-2021-41205
-
The product reads data past the end, or before the beginning, of the intended buffer.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2021-41205
-
https://github.com/tensorflow/tensorflow/commit/7cf73a2274732c9d82af51c2bc2cf90d13cd7e6d
Address QuantizeAndDequantizeV* heap oob. Added additional checks fo… · tensorflow/tensorflow@7cf73a2 · GitHubPatch;Third Party Advisory
-
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-49rx-x2rw-pc6f
Heap OOB read in all `tf.raw_ops.QuantizeAndDequantizeV*` ops · Advisory · tensorflow/tensorflow · GitHubThird Party Advisory
Products affected by CVE-2021-41205
- cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*