Vulnerability-Lookup

CVE-2021-37646 (GCVE-0-2021-37646)

Vulnerability from cvelistv5 – Published: 2021-08-12 21:10 – Updated: 2024-08-04 01:23

Title

Bad alloc in `StringNGrams` caused by integer conversion in TensorFlow

Summary

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.StringNGrams` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/string_ngrams_op.cc#L184) calls `reserve` on a `tstring` with a value that sometimes can be negative if user supplies negative `ngram_widths`. The `reserve` method calls `TF_TString_Reserve` which has an `unsigned long` argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-681 - Incorrect Conversion between Numeric Types

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	tensorflow	tensorflow	Affected: >= 2.5.0, < 2.5.1 Affected: >= 2.4.0, < 2.4.3 Affected: < 2.3.4

CNVD-2021-64532

Vulnerability from cnvd - Published: 2021-08-24

Title

Google TensorFlow整数溢出漏洞（CNVD-2021-64532）

Description

Google TensorFlow是美国谷歌（Google）公司的一套用于机器学习的端到端开源平台。 Google TensorFlow存在安全漏洞，该漏洞是由于将有符号整数值转换为无符号整数值然后根据该值分配内存而引起的。目前没有详细的漏洞细节提供。

Severity

低

Patch Name

Google TensorFlow整数溢出漏洞（CNVD-2021-64532）的补丁

Patch Description

Google TensorFlow是美国谷歌（Google）公司的一套用于机器学习的端到端开源平台。 Google TensorFlow存在安全漏洞，该漏洞是由于将有符号整数值转换为无符号整数值然后根据该值分配内存而引起的。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-37646

Impacted products

Name
['Google TensorFlow 2.5.1', 'Google TensorFlow 2.4.3', 'Google TensorFlow 2.3.4']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-37646"
    }
  },
  "description": "Google TensorFlow\u662f\u7f8e\u56fd\u8c37\u6b4c\uff08Google\uff09\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u673a\u5668\u5b66\u4e60\u7684\u7aef\u5230\u7aef\u5f00\u6e90\u5e73\u53f0\u3002\n\nGoogle TensorFlow\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u5c06\u6709\u7b26\u53f7\u6574\u6570\u503c\u8f6c\u6362\u4e3a\u65e0\u7b26\u53f7\u6574\u6570\u503c\u7136\u540e\u6839\u636e\u8be5\u503c\u5206\u914d\u5185\u5b58\u800c\u5f15\u8d77\u7684\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-64532",
  "openTime": "2021-08-24",
  "patchDescription": "Google TensorFlow\u662f\u7f8e\u56fd\u8c37\u6b4c\uff08Google\uff09\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u673a\u5668\u5b66\u4e60\u7684\u7aef\u5230\u7aef\u5f00\u6e90\u5e73\u53f0\u3002\r\n\r\nGoogle TensorFlow\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u5c06\u6709\u7b26\u53f7\u6574\u6570\u503c\u8f6c\u6362\u4e3a\u65e0\u7b26\u53f7\u6574\u6570\u503c\u7136\u540e\u6839\u636e\u8be5\u503c\u5206\u914d\u5185\u5b58\u800c\u5f15\u8d77\u7684\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Google TensorFlow\u6574\u6570\u6ea2\u51fa\u6f0f\u6d1e\uff08CNVD-2021-64532\uff09 \u7684\u8865\u4e01",
  "products": {
    "product": [
      "Google TensorFlow 2.5.1",
      "Google TensorFlow 2.4.3",
      "Google TensorFlow 2.3.4"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-37646",
  "serverity": "\u4f4e",
  "submitTime": "2021-08-13",
  "title": "Google TensorFlow\u6574\u6570\u6ea2\u51fa\u6f0f\u6d1e\uff08CNVD-2021-64532\uff09"
}

PYSEC-2021-268

Vulnerability from pysec - Published: 2021-08-12 21:15 - Updated: 2021-08-27 03:22

Details

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of tf.raw_ops.StringNGrams is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The implementation calls reserve on a tstring with a value that sometimes can be negative if user supplies negative ngram_widths. The reserve method calls TF_TString_Reserve which has an unsigned long argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Impacted products

Name	purl
tensorflow	pkg:pypi/tensorflow

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow",
        "purl": "pkg:pypi/tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "c283e542a3f422420cfdb332414543b62fc4e4a5"
            }
          ],
          "repo": "https://github.com/tensorflow/tensorflow",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.4"
            },
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.3.0",
        "2.3.1",
        "2.3.2",
        "2.3.3",
        "2.4.0",
        "2.4.1",
        "2.4.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37646",
    "GHSA-h6jh-7gv5-28vg"
  ],
  "details": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.StringNGrams` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/string_ngrams_op.cc#L184) calls `reserve` on a `tstring` with a value that sometimes can be negative if user supplies negative `ngram_widths`. The `reserve` method calls `TF_TString_Reserve` which has an `unsigned long` argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.",
  "id": "PYSEC-2021-268",
  "modified": "2021-08-27T03:22:43.623027Z",
  "published": "2021-08-12T21:15:00Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/tensorflow/tensorflow/commit/c283e542a3f422420cfdb332414543b62fc4e4a5"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg"
    }
  ]
}

PYSEC-2021-559

Vulnerability from pysec - Published: 2021-08-12 21:15 - Updated: 2021-12-09 06:35

Details

Impacted products

Name	purl
tensorflow-cpu	pkg:pypi/tensorflow-cpu

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu",
        "purl": "pkg:pypi/tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "c283e542a3f422420cfdb332414543b62fc4e4a5"
            }
          ],
          "repo": "https://github.com/tensorflow/tensorflow",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.4"
            },
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.3.0",
        "2.3.1",
        "2.3.2",
        "2.3.3",
        "2.4.0",
        "2.4.1",
        "2.4.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37646",
    "GHSA-h6jh-7gv5-28vg"
  ],
  "details": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.StringNGrams` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/string_ngrams_op.cc#L184) calls `reserve` on a `tstring` with a value that sometimes can be negative if user supplies negative `ngram_widths`. The `reserve` method calls `TF_TString_Reserve` which has an `unsigned long` argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.",
  "id": "PYSEC-2021-559",
  "modified": "2021-12-09T06:35:02.920127Z",
  "published": "2021-08-12T21:15:00Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/tensorflow/tensorflow/commit/c283e542a3f422420cfdb332414543b62fc4e4a5"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg"
    }
  ]
}

PYSEC-2021-757

Vulnerability from pysec - Published: 2021-08-12 21:15 - Updated: 2021-12-09 06:35

Details

Impacted products

Name	purl
tensorflow-gpu	pkg:pypi/tensorflow-gpu

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu",
        "purl": "pkg:pypi/tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "c283e542a3f422420cfdb332414543b62fc4e4a5"
            }
          ],
          "repo": "https://github.com/tensorflow/tensorflow",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.4"
            },
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.3.0",
        "2.3.1",
        "2.3.2",
        "2.3.3",
        "2.4.0",
        "2.4.1",
        "2.4.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37646",
    "GHSA-h6jh-7gv5-28vg"
  ],
  "details": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.StringNGrams` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/string_ngrams_op.cc#L184) calls `reserve` on a `tstring` with a value that sometimes can be negative if user supplies negative `ngram_widths`. The `reserve` method calls `TF_TString_Reserve` which has an `unsigned long` argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.",
  "id": "PYSEC-2021-757",
  "modified": "2021-12-09T06:35:36.306207Z",
  "published": "2021-08-12T21:15:00Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/tensorflow/tensorflow/commit/c283e542a3f422420cfdb332414543b62fc4e4a5"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg"
    }
  ]
}

GHSA-H6JH-7GV5-28VG

Vulnerability from github – Published: 2021-08-25 14:43 – Updated: 2024-11-13 17:20

Summary

Bad alloc in `StringNGrams` caused by integer conversion

Details

Impact

The implementation of tf.raw_ops.StringNGrams is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value.

import tensorflow as tf

tf.raw_ops.StringNGrams(
  data=['',''],
  data_splits=[0,2],
  separator=' '*100,
  ngram_widths=[-80,0,0,-60],
  left_pad=' ',
  right_pad=' ',
  pad_width=100,
  preserve_short_sequences=False)

The implementation calls reserve on a tstring with a value that sometimes can be negative if user supplies negative ngram_widths. The reserve method calls TF_TString_Reserve which has an unsigned long argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer.

Patches

We have patched the issue in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5.

The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by members of the Aivul Team from Qihoo 360.

Severity ?

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.8 (Medium)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.5.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.5.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.5.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-681"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-23T19:25:38Z",
    "nvd_published_at": "2021-08-12T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe implementation of `tf.raw_ops.StringNGrams` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value.\n\n```python\nimport tensorflow as tf\n\ntf.raw_ops.StringNGrams(\n  data=[\u0027\u0027,\u0027\u0027],\n  data_splits=[0,2],\n  separator=\u0027 \u0027*100,\n  ngram_widths=[-80,0,0,-60],\n  left_pad=\u0027 \u0027,\n  right_pad=\u0027 \u0027,\n  pad_width=100,\n  preserve_short_sequences=False)\n```\n\nThe [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/string_ngrams_op.cc#L184) calls `reserve` on a `tstring` with a value that sometimes can be negative if user supplies negative `ngram_widths`. The `reserve` method calls `TF_TString_Reserve` which has an `unsigned long` argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer.\n\n### Patches\nWe have patched the issue in GitHub commit [c283e542a3f422420cfdb332414543b62fc4e4a5](https://github.com/tensorflow/tensorflow/commit/c283e542a3f422420cfdb332414543b62fc4e4a5).\n\nThe fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by members of the Aivul Team from Qihoo 360.",
  "id": "GHSA-h6jh-7gv5-28vg",
  "modified": "2024-11-13T17:20:00Z",
  "published": "2021-08-25T14:43:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37646"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/c283e542a3f422420cfdb332414543b62fc4e4a5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-559.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-757.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-268.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Bad alloc in `StringNGrams` caused by integer conversion"
}

bit-tensorflow-2021-37646

Vulnerability from bitnami_vulndb

Published

2024-03-06 11:17

Modified

2025-05-20 10:02

Summary

Bad alloc in `StringNGrams` caused by integer conversion in TensorFlow

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "tensorflow",
        "purl": "pkg:bitnami/tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.4"
            },
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            },
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37646"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*",
      "cpe:2.3:a:google:tensorflow:2.5.0:*:*:*:*:*:*:*",
      "cpe:2.3:a:google:tensorflow:2.6.0:rc0:*:*:*:*:*:*",
      "cpe:2.3:a:google:tensorflow:2.6.0:rc1:*:*:*:*:*:*",
      "cpe:2.3:a:google:tensorflow:2.6.0:rc2:*:*:*:*:*:*"
    ],
    "severity": "Medium"
  },
  "details": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.StringNGrams` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/string_ngrams_op.cc#L184) calls `reserve` on a `tstring` with a value that sometimes can be negative if user supplies negative `ngram_widths`. The `reserve` method calls `TF_TString_Reserve` which has an `unsigned long` argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.",
  "id": "BIT-tensorflow-2021-37646",
  "modified": "2025-05-20T10:02:07.006Z",
  "published": "2024-03-06T11:17:39.255Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/c283e542a3f422420cfdb332414543b62fc4e4a5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37646"
    }
  ],
  "schema_version": "1.5.0",
  "summary": "Bad alloc in `StringNGrams` caused by integer conversion in TensorFlow"
}

GSD-2021-37646

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-37646

Aliases

CVE-2021-37646

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-37646",
    "description": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.StringNGrams` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/string_ngrams_op.cc#L184) calls `reserve` on a `tstring` with a value that sometimes can be negative if user supplies negative `ngram_widths`. The `reserve` method calls `TF_TString_Reserve` which has an `unsigned long` argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.",
    "id": "GSD-2021-37646",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-37646.html",
      "https://security.archlinux.org/CVE-2021-37646"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-37646"
      ],
      "details": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.StringNGrams` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/string_ngrams_op.cc#L184) calls `reserve` on a `tstring` with a value that sometimes can be negative if user supplies negative `ngram_widths`. The `reserve` method calls `TF_TString_Reserve` which has an `unsigned long` argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.",
      "id": "GSD-2021-37646",
      "modified": "2023-12-13T01:23:09.419654Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-37646",
        "STATE": "PUBLIC",
        "TITLE": "Bad alloc in `StringNGrams` caused by integer conversion in TensorFlow"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "tensorflow",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 2.5.0, \u003c 2.5.1"
                        },
                        {
                          "version_value": "\u003e= 2.4.0, \u003c 2.4.3"
                        },
                        {
                          "version_value": "\u003c 2.3.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "tensorflow"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.StringNGrams` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/string_ngrams_op.cc#L184) calls `reserve` on a `tstring` with a value that sometimes can be negative if user supplies negative `ngram_widths`. The `reserve` method calls `TF_TString_Reserve` which has an `unsigned long` argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-681: Incorrect Conversion between Numeric Types"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg",
            "refsource": "CONFIRM",
            "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg"
          },
          {
            "name": "https://github.com/tensorflow/tensorflow/commit/c283e542a3f422420cfdb332414543b62fc4e4a5",
            "refsource": "MISC",
            "url": "https://github.com/tensorflow/tensorflow/commit/c283e542a3f422420cfdb332414543b62fc4e4a5"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-h6jh-7gv5-28vg",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.3.4||\u003e=2.4.0,\u003c2.4.3||==2.5.0",
          "affected_versions": "All versions before 2.3.4, all versions starting from 2.4.0 before 2.4.3, version 2.5.0",
          "cvss_v2": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-681",
            "CWE-937"
          ],
          "date": "2021-08-25",
          "description": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.StringNGrams` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The implementation calls `reserve` on a `tstring` with a value that sometimes can be negative if user supplies negative `ngram_widths`. The `reserve` method calls `TF_TString_Reserve` which has an `unsigned long` argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.",
          "fixed_versions": [
            "2.3.4",
            "2.4.3",
            "2.5.1"
          ],
          "identifier": "CVE-2021-37646",
          "identifiers": [
            "GHSA-h6jh-7gv5-28vg",
            "CVE-2021-37646"
          ],
          "not_impacted": "All versions starting from 2.3.4 before 2.4.0, all versions starting from 2.4.3 before 2.5.0, all versions after 2.5.0",
          "package_slug": "pypi/tensorflow-cpu",
          "pubdate": "2021-08-25",
          "solution": "Upgrade to versions 2.3.4, 2.4.3, 2.5.1 or above.",
          "title": "Incorrect Conversion between Numeric Types",
          "urls": [
            "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-37646",
            "https://github.com/tensorflow/tensorflow/commit/c283e542a3f422420cfdb332414543b62fc4e4a5",
            "https://github.com/advisories/GHSA-h6jh-7gv5-28vg"
          ],
          "uuid": "59e4bedf-761a-4523-847e-7f8a34d59a9f"
        },
        {
          "affected_range": "\u003c2.3.4||\u003e=2.4.0,\u003c2.4.3||==2.5.0",
          "affected_versions": "All versions before 2.3.4, all versions starting from 2.4.0 before 2.4.3, version 2.5.0",
          "cvss_v2": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-681",
            "CWE-937"
          ],
          "date": "2021-08-25",
          "description": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.StringNGrams` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The implementation calls `reserve` on a `tstring` with a value that sometimes can be negative if user supplies negative `ngram_widths`. The `reserve` method calls `TF_TString_Reserve` which has an `unsigned long` argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.",
          "fixed_versions": [
            "2.3.4",
            "2.4.3",
            "2.5.1"
          ],
          "identifier": "CVE-2021-37646",
          "identifiers": [
            "GHSA-h6jh-7gv5-28vg",
            "CVE-2021-37646"
          ],
          "not_impacted": "All versions starting from 2.3.4 before 2.4.0, all versions starting from 2.4.3 before 2.5.0, all versions after 2.5.0",
          "package_slug": "pypi/tensorflow-gpu",
          "pubdate": "2021-08-25",
          "solution": "Upgrade to versions 2.3.4, 2.4.3, 2.5.1 or above.",
          "title": "Incorrect Conversion between Numeric Types",
          "urls": [
            "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-37646",
            "https://github.com/tensorflow/tensorflow/commit/c283e542a3f422420cfdb332414543b62fc4e4a5",
            "https://github.com/advisories/GHSA-h6jh-7gv5-28vg"
          ],
          "uuid": "4b3787a5-5c0c-4c23-a017-a112a8c39653"
        },
        {
          "affected_range": "\u003e=2.3.0,\u003c2.3.4||\u003e=2.4.0,\u003c2.4.3||\u003e=2.5.0,\u003c=2.6.0",
          "affected_versions": "All versions starting from 2.3.0 before 2.3.4, all versions starting from 2.4.0 before 2.4.3, all versions starting from 2.5.0 up to 2.6.0",
          "cvss_v2": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2021-08-18",
          "description": "TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.StringNGrams` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The implementation calls `reserve` on a `tstring` with a value that sometimes can be negative if user supplies negative `ngram_widths`. The `reserve` method calls `TF_TString_Reserve` which has an `unsigned long` argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer.",
          "fixed_versions": [
            "2.3.4",
            "2.4.3"
          ],
          "identifier": "CVE-2021-37646",
          "identifiers": [
            "CVE-2021-37646",
            "GHSA-h6jh-7gv5-28vg"
          ],
          "not_impacted": "All versions before 2.3.0, all versions starting from 2.3.4 before 2.4.0, all versions starting from 2.4.3 before 2.5.0, all versions after 2.6.0",
          "package_slug": "pypi/tensorflow",
          "pubdate": "2021-08-12",
          "solution": "Upgrade to versions 2.3.4, 2.4.3 or above.",
          "title": "Incorrect Conversion between Numeric Types",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-37646"
          ],
          "uuid": "3ac32c12-3e5a-4dde-a85c-858f564abc68"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.3.4",
                "versionStartIncluding": "2.3.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.4.3",
                "versionStartIncluding": "2.4.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:google:tensorflow:2.5.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:google:tensorflow:2.6.0:rc0:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:google:tensorflow:2.6.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:google:tensorflow:2.6.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-37646"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.StringNGrams` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/string_ngrams_op.cc#L184) calls `reserve` on a `tstring` with a value that sometimes can be negative if user supplies negative `ngram_widths`. The `reserve` method calls `TF_TString_Reserve` which has an `unsigned long` argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-681"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/tensorflow/tensorflow/commit/c283e542a3f422420cfdb332414543b62fc4e4a5",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/tensorflow/tensorflow/commit/c283e542a3f422420cfdb332414543b62fc4e4a5"
            },
            {
              "name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 2.1,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2021-08-18T15:39Z",
      "publishedDate": "2021-08-12T21:15Z"
    }
  }
}

FKIE_CVE-2021-37646

Vulnerability from fkie_nvd - Published: 2021-08-12 21:15 - Updated: 2024-11-21 06:15

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/tensorflow/tensorflow/commit/c283e542a3f422420cfdb332414543b62fc4e4a5	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/tensorflow/tensorflow/commit/c283e542a3f422420cfdb332414543b62fc4e4a5	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg	Third Party Advisory

Impacted products

Vendor	Product	Version
google	tensorflow	*
google	tensorflow	*
google	tensorflow	2.5.0
google	tensorflow	2.6.0
google	tensorflow	2.6.0
google	tensorflow	2.6.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0F83C081-51CC-415F-A8C0-0A44C75E2CD6",
              "versionEndExcluding": "2.3.4",
              "versionStartIncluding": "2.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BD3F2BF8-EBA9-42BF-8F9B-D918B880B15A",
              "versionEndExcluding": "2.4.3",
              "versionStartIncluding": "2.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:tensorflow:2.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D03E99A7-4E3D-427D-A156-C0713E9FB02A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:tensorflow:2.6.0:rc0:*:*:*:*:*:*",
              "matchCriteriaId": "70FA6E48-6C57-40CA-809F-4E3D07CBF348",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:tensorflow:2.6.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "42187561-E491-434D-828C-F36701446634",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:tensorflow:2.6.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "C66B61C8-450A-4C5E-9174-F970D6DEE778",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.StringNGrams` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/string_ngrams_op.cc#L184) calls `reserve` on a `tstring` with a value that sometimes can be negative if user supplies negative `ngram_widths`. The `reserve` method calls `TF_TString_Reserve` which has an `unsigned long` argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
    },
    {
      "lang": "es",
      "value": "TensorFlow es una plataforma de c\u00f3digo abierto de extremo a extremo para el aprendizaje autom\u00e1tico. En las versiones afectadas, la implementaci\u00f3n \"tf.raw_ops.StringNGrams\" es vulnerable a un problema de desbordamiento de enteros causado al convertir un valor entero con signo a uno sin signo y la posterior asignaci\u00f3n de memoria basada en este valor. La [implementaci\u00f3n](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/string_ngrams_op.cc#L184) llama a \"reserve\" en una \"tstring\" con un valor que a veces puede ser negativo si el usuario proporciona \"ngram_widths\" negativo. El m\u00e9todo \"reserve\" llama a \"TF_TString_Reserve\" que presenta un argumento \"unsigned long\" para el tama\u00f1o del buffer. Por lo tanto, la conversi\u00f3n impl\u00edcita transforma el valor negativo en un entero grande. Hemos parcheado el problema en el commit de GitHub c283e542a3f422420cfdb332414543b62fc4e4a5. La correcci\u00f3n ser\u00e1 incluida en TensorFlow versi\u00f3n 2.6.0. Tambi\u00e9n seleccionaremos este commit en TensorFlow versi\u00f3n 2.5.1, TensorFlow versi\u00f3n 2.4.3, y TensorFlow versi\u00f3n 2.3.4, ya que estos tambi\u00e9n est\u00e1n afectados y todav\u00eda en el rango de soporte."
    }
  ],
  "id": "CVE-2021-37646",
  "lastModified": "2024-11-21T06:15:36.037",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 2.1,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-08-12T21:15:07.983",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/tensorflow/tensorflow/commit/c283e542a3f422420cfdb332414543b62fc4e4a5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/tensorflow/tensorflow/commit/c283e542a3f422420cfdb332414543b62fc4e4a5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6jh-7gv5-28vg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-681"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-37646 (GCVE-0-2021-37646)

Impact

Patches

For more information

Attribution

Vulnerability from bitnami_vulndb

Tags

Sightings

Nomenclature