cvelistv5 - CVE-2021-37675

URL	Tags
security-advisories@github.com	https://github.com/tensorflow/tensorflow/commit/8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c8h-2mv3-49ww	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/tensorflow/tensorflow/commit/8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c8h-2mv3-49ww	Third Party Advisory

pysec-2021-297

Vulnerability from pysec

Published

2021-08-12 22:15

Modified

2021-08-27 03:22

Details

TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference implementation is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow",
        "purl": "pkg:pypi/tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4"
            }
          ],
          "repo": "https://github.com/tensorflow/tensorflow",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.4"
            },
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.3.0",
        "2.3.1",
        "2.3.2",
        "2.3.3",
        "2.4.0",
        "2.4.1",
        "2.4.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37675",
    "GHSA-9c8h-2mv3-49ww"
  ],
  "details": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/framework/common_shape_fns.cc#L577) is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.",
  "id": "PYSEC-2021-297",
  "modified": "2021-08-27T03:22:46.293986Z",
  "published": "2021-08-12T22:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c8h-2mv3-49ww"
    },
    {
      "type": "FIX",
      "url": "https://github.com/tensorflow/tensorflow/commit/8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4"
    }
  ]
}

pysec-2021-786

Vulnerability from pysec

Published

2021-08-12 22:15

Modified

2021-12-09 06:35

Details

TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference implementation is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu",
        "purl": "pkg:pypi/tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4"
            }
          ],
          "repo": "https://github.com/tensorflow/tensorflow",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.4"
            },
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.3.0",
        "2.3.1",
        "2.3.2",
        "2.3.3",
        "2.4.0",
        "2.4.1",
        "2.4.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37675",
    "GHSA-9c8h-2mv3-49ww"
  ],
  "details": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/framework/common_shape_fns.cc#L577) is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.",
  "id": "PYSEC-2021-786",
  "modified": "2021-12-09T06:35:38.896417Z",
  "published": "2021-08-12T22:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c8h-2mv3-49ww"
    },
    {
      "type": "FIX",
      "url": "https://github.com/tensorflow/tensorflow/commit/8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4"
    }
  ]
}

pysec-2021-588

Vulnerability from pysec

Published

2021-08-12 22:15

Modified

2021-12-09 06:35

Details

TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference implementation is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu",
        "purl": "pkg:pypi/tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4"
            }
          ],
          "repo": "https://github.com/tensorflow/tensorflow",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.4"
            },
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.3.0",
        "2.3.1",
        "2.3.2",
        "2.3.3",
        "2.4.0",
        "2.4.1",
        "2.4.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37675",
    "GHSA-9c8h-2mv3-49ww"
  ],
  "details": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/framework/common_shape_fns.cc#L577) is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.",
  "id": "PYSEC-2021-588",
  "modified": "2021-12-09T06:35:05.402350Z",
  "published": "2021-08-12T22:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c8h-2mv3-49ww"
    },
    {
      "type": "FIX",
      "url": "https://github.com/tensorflow/tensorflow/commit/8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4"
    }
  ]
}

ghsa-9c8h-2mv3-49ww

Vulnerability from github

Published

2021-08-25 14:41

Modified

2024-11-13 21:13

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.8 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

Division by 0 in most convolution operators

Details

Impact

Most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash:

```python import tensorflow as tf

tf.compat.v1.disable_v2_behavior() tf.raw_ops.Conv2D( input = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32), filter = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32), strides = [1, 1, 1, 1], padding = "SAME") ```

The shape inference implementation is missing several validations before doing divisions and modulo operations.

Patches

We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4.

The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Yakun Zhang of Baidu Security.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.5.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.5.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.5.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37675"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-24T15:41:50Z",
    "nvd_published_at": "2021-08-12T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nMost implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash:\n\n```python\nimport tensorflow as tf\n\ntf.compat.v1.disable_v2_behavior()\ntf.raw_ops.Conv2D(\n  input = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32),\n  filter = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32),\n  strides = [1, 1, 1, 1],\n  padding = \"SAME\")\n```\n\nThe shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/framework/common_shape_fns.cc#L577) is missing several validations before doing divisions and modulo operations.\n\n### Patches\nWe have patched the issue in GitHub commit [8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4](https://github.com/tensorflow/tensorflow/commit/8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4).\n\nThe fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Yakun Zhang of Baidu Security.",
  "id": "GHSA-9c8h-2mv3-49ww",
  "modified": "2024-11-13T21:13:06Z",
  "published": "2021-08-25T14:41:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c8h-2mv3-49ww"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37675"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-588.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-786.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-297.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Division by 0 in most convolution operators"
}

gsd-2021-37675

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/framework/common_shape_fns.cc#L577) is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Aliases

CVE-2021-37675

Aliases

CVE-2021-37675

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-37675",
    "description": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/framework/common_shape_fns.cc#L577) is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.",
    "id": "GSD-2021-37675",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-37675.html",
      "https://security.archlinux.org/CVE-2021-37675"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-37675"
      ],
      "details": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/framework/common_shape_fns.cc#L577) is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.",
      "id": "GSD-2021-37675",
      "modified": "2023-12-13T01:23:09.744546Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-37675",
        "STATE": "PUBLIC",
        "TITLE": "Division by 0 in most convolution operators in TensorFlow"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "tensorflow",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 2.5.0, \u003c 2.5.1"
                        },
                        {
                          "version_value": "\u003e= 2.4.0, \u003c 2.4.3"
                        },
                        {
                          "version_value": "\u003c 2.3.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "tensorflow"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/framework/common_shape_fns.cc#L577) is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-369: Divide By Zero"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c8h-2mv3-49ww",
            "refsource": "CONFIRM",
            "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c8h-2mv3-49ww"
          },
          {
            "name": "https://github.com/tensorflow/tensorflow/commit/8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4",
            "refsource": "MISC",
            "url": "https://github.com/tensorflow/tensorflow/commit/8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-9c8h-2mv3-49ww",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.3.4||\u003e=2.4.0,\u003c2.4.3||==2.5.0",
          "affected_versions": "All versions before 2.3.4, all versions starting from 2.4.0 before 2.4.3, version 2.5.0",
          "cvss_v2": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-369",
            "CWE-937"
          ],
          "date": "2021-08-25",
          "description": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference implementation is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.",
          "fixed_versions": [
            "2.3.4",
            "2.4.3",
            "2.5.1"
          ],
          "identifier": "CVE-2021-37675",
          "identifiers": [
            "GHSA-9c8h-2mv3-49ww",
            "CVE-2021-37675"
          ],
          "not_impacted": "All versions starting from 2.3.4 before 2.4.0, all versions starting from 2.4.3 before 2.5.0, all versions after 2.5.0",
          "package_slug": "pypi/tensorflow-cpu",
          "pubdate": "2021-08-25",
          "solution": "Upgrade to versions 2.3.4, 2.4.3, 2.5.1 or above.",
          "title": "Divide By Zero",
          "urls": [
            "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c8h-2mv3-49ww",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-37675",
            "https://github.com/tensorflow/tensorflow/commit/8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4",
            "https://github.com/advisories/GHSA-9c8h-2mv3-49ww"
          ],
          "uuid": "3bd6db6c-3050-4a62-968d-a04e9019d20d"
        },
        {
          "affected_range": "\u003c2.3.4||\u003e=2.4.0,\u003c2.4.3||==2.5.0",
          "affected_versions": "All versions before 2.3.4, all versions starting from 2.4.0 before 2.4.3, version 2.5.0",
          "cvss_v2": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-369",
            "CWE-937"
          ],
          "date": "2021-08-25",
          "description": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference implementation is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.",
          "fixed_versions": [
            "2.3.4",
            "2.4.3",
            "2.5.1"
          ],
          "identifier": "CVE-2021-37675",
          "identifiers": [
            "GHSA-9c8h-2mv3-49ww",
            "CVE-2021-37675"
          ],
          "not_impacted": "All versions starting from 2.3.4 before 2.4.0, all versions starting from 2.4.3 before 2.5.0, all versions after 2.5.0",
          "package_slug": "pypi/tensorflow-gpu",
          "pubdate": "2021-08-25",
          "solution": "Upgrade to versions 2.3.4, 2.4.3, 2.5.1 or above.",
          "title": "Divide By Zero",
          "urls": [
            "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c8h-2mv3-49ww",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-37675",
            "https://github.com/tensorflow/tensorflow/commit/8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4",
            "https://github.com/advisories/GHSA-9c8h-2mv3-49ww"
          ],
          "uuid": "1bf222e4-10b8-41ba-bc35-38de193bb770"
        },
        {
          "affected_range": "\u003e=2.3.0,\u003c2.3.4||\u003e=2.4.0,\u003c2.4.3||\u003e=2.5.0,\u003c=2.6.0",
          "affected_versions": "All versions starting from 2.3.0 before 2.3.4, all versions starting from 2.4.0 before 2.4.3, all versions starting from 2.5.0 up to 2.6.0",
          "cvss_v2": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2021-08-18",
          "description": "TensorFlow is an end-to-end open source platform for machine learning. The shape inference implementation is missing several validations before doing divisions and modulo operations.",
          "fixed_versions": [
            "2.3.4",
            "2.4.3"
          ],
          "identifier": "CVE-2021-37675",
          "identifiers": [
            "CVE-2021-37675",
            "GHSA-9c8h-2mv3-49ww"
          ],
          "not_impacted": "All versions before 2.3.0, all versions starting from 2.3.4 before 2.4.0, all versions starting from 2.4.3 before 2.5.0, all versions after 2.6.0",
          "package_slug": "pypi/tensorflow",
          "pubdate": "2021-08-12",
          "solution": "Upgrade to versions 2.3.4, 2.4.3 or above.",
          "title": "Divide By Zero",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-37675"
          ],
          "uuid": "53038e11-ebd1-41fe-ac2a-08546c7d4e3a"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.3.4",
                "versionStartIncluding": "2.3.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.4.3",
                "versionStartIncluding": "2.4.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:google:tensorflow:2.5.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:google:tensorflow:2.6.0:rc0:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:google:tensorflow:2.6.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:google:tensorflow:2.6.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-37675"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/framework/common_shape_fns.cc#L577) is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-369"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c8h-2mv3-49ww",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c8h-2mv3-49ww"
            },
            {
              "name": "https://github.com/tensorflow/tensorflow/commit/8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/tensorflow/tensorflow/commit/8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 2.1,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2021-08-18T20:56Z",
      "publishedDate": "2021-08-12T22:15Z"
    }
  }
}

CVE-2021-37675

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature

Action not permitted

CVE-2021-37675

Vulnerability from cvelistv5

pysec-2021-297

Vulnerability from pysec

pysec-2021-786

Vulnerability from pysec

pysec-2021-588

Vulnerability from pysec

ghsa-9c8h-2mv3-49ww

Vulnerability from github

Impact

Patches

For more information

Attribution

gsd-2021-37675

Vulnerability from gsd

Tags

Sightings

Nomenclature