Safety vulnerability ID: 55658
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Tensorflow-cpu version 2.3.4, 2.4.3, 2.5.1, 2.6.0 and 2.7.0 include a fix for CVE-2021-37678:
In affected versions, TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The implementation(https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/python/keras/saving/model_config.py#L66-L104) uses "yaml.unsafe_load" which can perform arbitrary code execution on the input. Given that YAML format support requires a significant amount of work, the Tensorflow team has removed it for now. The Tensorflow team has patched the issue in GitHub commit 23d6383eb6c14084a8fc3bdf164043b974818012.
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-r6jx-9g48-2r5r
https://github.com/tensorflow/tensorflow/commit/23d6383eb6c14084a8fc3bdf164043b974818012
Latest version: 2.18.0
TensorFlow is an open source machine learning framework for everyone.
This vulnerability has no description
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application