CVE-2021-29554: Divide By Zero
TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in tf.raw_ops.DenseCountSparseOutput
. This is because the implementation computes a divisor value from user data but does not check that the result is 0 before doing the division. Since data
is given by the values
argument, num_batch_elements
is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, and TensorFlow 2.3.3, as these are also affected.
References
Detect and mitigate CVE-2021-29554 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →