{"containers": {"cna": {"affected": [{"product": "tensorflow", "vendor": "tensorflow", "versions": [{"status": "affected", "version": ">= 2.5.0, < 2.5.1"}, {"status": "affected", "version": ">= 2.4.0, < 2.4.3"}, {"status": "affected", "version": "< 2.3.4"}]}], "descriptions": [{"lang": "en", "value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions providing a negative element to `num_elements` list argument of `tf.raw_ops.TensorListReserve` causes the runtime to abort the process due to reallocating a `std::vector` to have a negative number of elements. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/list_kernels.cc#L312) calls `std::vector.resize()` with the new size controlled by input given by the user, without checking that this input is valid. We have patched the issue in GitHub commit 8a6e874437670045e6c7dc6154c7412b4a2135e2. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "description": "CWE-617: Reachable Assertion", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-12T20:35:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-27j5-4p9v-pp67"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/tensorflow/tensorflow/commit/8a6e874437670045e6c7dc6154c7412b4a2135e2"}], "source": {"advisory": "GHSA-27j5-4p9v-pp67", "discovery": "UNKNOWN"}, "title": "`std::abort` raised from `TensorListReserve` in TensorFlow", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-37644", "STATE": "PUBLIC", "TITLE": "`std::abort` raised from `TensorListReserve` in TensorFlow"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "tensorflow", "version": {"version_data": [{"version_value": ">= 2.5.0, < 2.5.1"}, {"version_value": ">= 2.4.0, < 2.4.3"}, {"version_value": "< 2.3.4"}]}}]}, "vendor_name": "tensorflow"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions providing a negative element to `num_elements` list argument of `tf.raw_ops.TensorListReserve` causes the runtime to abort the process due to reallocating a `std::vector` to have a negative number of elements. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/list_kernels.cc#L312) calls `std::vector.resize()` with the new size controlled by input given by the user, without checking that this input is valid. We have patched the issue in GitHub commit 8a6e874437670045e6c7dc6154c7412b4a2135e2. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-617: Reachable Assertion"}]}]}, "references": {"reference_data": [{"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-27j5-4p9v-pp67", "refsource": "CONFIRM", "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-27j5-4p9v-pp67"}, {"name": "https://github.com/tensorflow/tensorflow/commit/8a6e874437670045e6c7dc6154c7412b4a2135e2", "refsource": "MISC", "url": "https://github.com/tensorflow/tensorflow/commit/8a6e874437670045e6c7dc6154c7412b4a2135e2"}]}, "source": {"advisory": "GHSA-27j5-4p9v-pp67", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-37644", "datePublished": "2021-08-12T20:35:12", "dateReserved": "2021-07-29T00:00:00", "dateUpdated": "2021-08-12T20:35:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F83C081-51CC-415F-A8C0-0A44C75E2CD6", "versionEndExcluding": "2.3.4", "versionStartIncluding": "2.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD3F2BF8-EBA9-42BF-8F9B-D918B880B15A", "versionEndExcluding": "2.4.3", "versionStartIncluding": "2.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:tensorflow:2.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "D03E99A7-4E3D-427D-A156-C0713E9FB02A", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:tensorflow:2.6.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "70FA6E48-6C57-40CA-809F-4E3D07CBF348", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:tensorflow:2.6.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "42187561-E491-434D-828C-F36701446634", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:tensorflow:2.6.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "C66B61C8-450A-4C5E-9174-F970D6DEE778", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions providing a negative element to `num_elements` list argument of `tf.raw_ops.TensorListReserve` causes the runtime to abort the process due to reallocating a `std::vector` to have a negative number of elements. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/list_kernels.cc#L312) calls `std::vector.resize()` with the new size controlled by input given by the user, without checking that this input is valid. We have patched the issue in GitHub commit 8a6e874437670045e6c7dc6154c7412b4a2135e2. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."}, {"lang": "es", "value": "TensorFlow es una plataforma de c\u00f3digo abierto de extremo a extremo para el aprendizaje autom\u00e1tico. En las versiones afectadas, proporcionar un elemento negativo al argumento de lista \"num_elements\" de \"tf.raw_ops.TensorListReserve\" hace que el tiempo de ejecuci\u00f3n aborte el proceso debido a la reasignaci\u00f3n de un \"std::vector\" para tener un n\u00famero negativo de elementos. La [implementaci\u00f3n](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/list_kernels.cc#L312) llama a \"std::vector.resize()\" con el nuevo tama\u00f1o controlado por la entrada dada por el usuario, sin comprobar que esta entrada es v\u00e1lida. Hemos parcheado el problema en el commit 8a6e874437670045e6c7dc6154c7412b4a2135e2 de GitHub. La correcci\u00f3n ser\u00e1 incluida en TensorFlow versi\u00f3n 2.6.0. Tambi\u00e9n seleccionaremos este commit en TensorFlow 2.5.1, TensorFlow 2.4.3 y TensorFlow 2.3.4, ya que estos tambi\u00e9n est\u00e1n afectados y todav\u00eda est\u00e1n en el rango de soporte."}], "id": "CVE-2021-37644", "lastModified": "2021-08-18T15:38:10.463", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-08-12T21:15:07.770", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/tensorflow/tensorflow/commit/8a6e874437670045e6c7dc6154c7412b4a2135e2"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-27j5-4p9v-pp67"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}