CVE-2021-37661: Incorrect Conversion between Numeric Types
(updated )
TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource
by using negative arguments. The implementation does not validate that num_streams
only contains non-negative numbers. In turn, this results in using this value to allocate memory. However, reserve
receives an unsigned integer so there is an implicit conversion from a negative value to a large positive unsigned. This results in a crash from the standard library.
References
Detect and mitigate CVE-2021-37661 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →