TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via CHECK-fail in tf.strings.substr with invalid arguments. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
Weakness
The product does not handle or incorrectly handles an exceptional condition.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Tensorflow | * | 2.1.4 (excluding) | |
| Tensorflow | 2.2.0 (including) | 2.2.3 (excluding) | |
| Tensorflow | 2.3.0 (including) | 2.3.3 (excluding) | |
| Tensorflow | 2.4.0 (including) | 2.4.2 (excluding) |
References
- https://github.com/tensorflow/issues/46900
- https://github.com/tensorflow/issues/46974
- https://github.com/tensorflow/tensorflow/commit/890f7164b70354c57d40eda52dcdd7658677c09f
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mmq6-q8r3-48fm
- https://github.com/tensorflow/issues/46900
- https://github.com/tensorflow/issues/46974
- https://github.com/tensorflow/tensorflow/commit/890f7164b70354c57d40eda52dcdd7658677c09f
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mmq6-q8r3-48fm