CVE-2021-29534: Improper Check for Unusual or Exceptional Conditions
TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a CHECK
-fail in tf.raw_ops.SparseConcat
. This is because the implementation takes the values specified in shapes0
TensorShapeconstructor uses a
CHECKoperation which triggers when
InitDimsreturns a non-OK status. This is a legacy implementation of the constructor and operations should use
BuildTensorShapeBaseor
AddDimWithStatusto prevent
CHECK`-failures in the presence of overflows. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
References
Detect and mitigate CVE-2021-29534 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →