CVE-2021-41225

Exploit

EPSS 0.02%
Veröffentlicht 05.11.2021 23:15:08
Zuletzt bearbeitet 21.11.2024 06:25:49
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's Grappler optimizer has a use of unitialized variable. If the `train_nodes` vector (obtained from the saved model that gets optimized) does not contain a `Dequeue` node, then `dequeue_node` is left unitialized. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Google ≫ Tensorflow Version >= 2.4.0 < 2.4.4

Google ≫ Tensorflow Version >= 2.5.0 < 2.5.2

Google ≫ Tensorflow Version >= 2.6.0 < 2.6.1

Google ≫ Tensorflow Version2.7.0 Updaterc0

Google ≫ Tensorflow Version2.7.0 Updaterc1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.025

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-908 Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized.

https://github.com/tensorflow/tensorflow/commit/68867bf01239d9e1048f98cbad185bf4761bedd3

Patch

Third Party Advisory

https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7r94-xv9v-63jw

Patch

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2021-41225

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-41225

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-41225

EUVD