CVE-2021-29532: Out-of-bounds Read
(updated )
TensorFlow is an end-to-end open source platform for machine learning. An attacker can force accesses outside the bounds of heap allocated arrays by passing in invalid tensor values to tf.raw_ops.RaggedCross
. This is because the implementation lacks validation for the user supplied arguments. Each of the above branches call a helper function after accessing array elements via a *_list[next_*]
pattern, followed by incrementing the next_*
index. However, as there is no validation that the next_*
values are in the valid range for the corresponding *_list
arrays, this results in heap OOB reads.
References
Detect and mitigate CVE-2021-29532 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →