CVE-2021-37654: Out-of-bounds Read
(updated )
TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a crash via a CHECK
-fail in debug builds of TensorFlow using tf.raw_ops.ResourceGather
or a read from outside the bounds of heap allocated data in the same API in a release build. The implementation does not check that the batch_dims
value that the user supplies is less than the rank of the input tensor. Since the implementation uses several for loops over the dimensions of tensor
, this results in reading data from outside the bounds of heap allocated buffer backing the tensor.
References
Detect and mitigate CVE-2021-37654 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →