Safety vulnerability ID: 42475
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Tensorflow versions 2.4.4, 2.5.2 and 2.6.1 include a fix for CVE-2021-41228: In affected versions, TensorFlow's 'saved_model_cli' tool is vulnerable to a code injection as it calls 'eval' on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given that the tool is always run manually, the impact of this is not severe. The issue has been patched by adding a 'safe' flag which defaults to 'True' and an explicit warning for users.
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3rcw-9p9x-582v
https://github.com/tensorflow/tensorflow/commit/8b202f08d52e8206af2bdb2112a62fafbc546ec7
Latest version: 2.18.0
TensorFlow is an open source machine learning framework for everyone.
TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's `saved_model_cli` tool is vulnerable to a code injection as it calls `eval` on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given that the tool is always run manually, the impact of this is not severe. We have patched this by adding a `safe` flag which defaults to `True` and an explicit warning for users. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range. See CVE-2021-41228.
CONFIRM:https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3rcw-9p9x-582v: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3rcw-9p9x-582v
MISC:https://github.com/tensorflow/tensorflow/commit/8b202f08d52e8206af2bdb2112a62fafbc546ec7: https://github.com/tensorflow/tensorflow/commit/8b202f08d52e8206af2bdb2112a62fafbc546ec7
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application