CWE-476
NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.
CVE-2021-37643 (GCVE-0-2021-37643)
Vulnerability from cvelistv5 – Published: 2021-08-12 18:10 – Updated: 2024-08-04 01:23
VLAI
Title
Null pointer dereference in `MatrixDiagPartOp` in TensorFlow
Summary
TensorFlow is an end-to-end open source platform for machine learning. If a user does not provide a valid padding value to `tf.raw_ops.MatrixDiagPartOp`, then the code triggers a null pointer dereference (if input is empty) or produces invalid behavior, ignoring all values after the first. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/linalg/matrix_diag_op.cc#L89) reads the first value from a tensor buffer without first checking that the tensor has values to read from. We have patched the issue in GitHub commit 482da92095c4d48f8784b1f00dda4f81c28d2988. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
Severity
7.7 (High)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/tensorflow/tensorflow/security… | x_refsource_CONFIRM |
| https://github.com/tensorflow/tensorflow/commit/4… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tensorflow | tensorflow |
Affected:
>= 2.5.0, < 2.5.1
Affected: >= 2.4.0, < 2.4.3 Affected: < 2.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:23:01.386Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fcwc-p4fc-c5cc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/commit/482da92095c4d48f8784b1f00dda4f81c28d2988"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tensorflow",
"vendor": "tensorflow",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.5.0, \u003c 2.5.1"
},
{
"status": "affected",
"version": "\u003e= 2.4.0, \u003c 2.4.3"
},
{
"status": "affected",
"version": "\u003c 2.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TensorFlow is an end-to-end open source platform for machine learning. If a user does not provide a valid padding value to `tf.raw_ops.MatrixDiagPartOp`, then the code triggers a null pointer dereference (if input is empty) or produces invalid behavior, ignoring all values after the first. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/linalg/matrix_diag_op.cc#L89) reads the first value from a tensor buffer without first checking that the tensor has values to read from. We have patched the issue in GitHub commit 482da92095c4d48f8784b1f00dda4f81c28d2988. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-12T18:10:21.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fcwc-p4fc-c5cc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tensorflow/tensorflow/commit/482da92095c4d48f8784b1f00dda4f81c28d2988"
}
],
"source": {
"advisory": "GHSA-fcwc-p4fc-c5cc",
"discovery": "UNKNOWN"
},
"title": "Null pointer dereference in `MatrixDiagPartOp` in TensorFlow",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-37643",
"STATE": "PUBLIC",
"TITLE": "Null pointer dereference in `MatrixDiagPartOp` in TensorFlow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "tensorflow",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.5.0, \u003c 2.5.1"
},
{
"version_value": "\u003e= 2.4.0, \u003c 2.4.3"
},
{
"version_value": "\u003c 2.3.4"
}
]
}
}
]
},
"vendor_name": "tensorflow"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TensorFlow is an end-to-end open source platform for machine learning. If a user does not provide a valid padding value to `tf.raw_ops.MatrixDiagPartOp`, then the code triggers a null pointer dereference (if input is empty) or produces invalid behavior, ignoring all values after the first. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/linalg/matrix_diag_op.cc#L89) reads the first value from a tensor buffer without first checking that the tensor has values to read from. We have patched the issue in GitHub commit 482da92095c4d48f8784b1f00dda4f81c28d2988. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-476: NULL Pointer Dereference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fcwc-p4fc-c5cc",
"refsource": "CONFIRM",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fcwc-p4fc-c5cc"
},
{
"name": "https://github.com/tensorflow/tensorflow/commit/482da92095c4d48f8784b1f00dda4f81c28d2988",
"refsource": "MISC",
"url": "https://github.com/tensorflow/tensorflow/commit/482da92095c4d48f8784b1f00dda4f81c28d2988"
}
]
},
"source": {
"advisory": "GHSA-fcwc-p4fc-c5cc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-37643",
"datePublished": "2021-08-12T18:10:21.000Z",
"dateReserved": "2021-07-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:23:01.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37647 (GCVE-0-2021-37647)
Vulnerability from cvelistv5 – Published: 2021-08-12 18:10 – Updated: 2024-08-04 01:23
VLAI
Title
Null pointer dereference in `SparseTensorSliceDataset` in TensorFlow
Summary
TensorFlow is an end-to-end open source platform for machine learning. When a user does not supply arguments that determine a valid sparse tensor, `tf.raw_ops.SparseTensorSliceDataset` implementation can be made to dereference a null pointer. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L240-L251) has some argument validation but fails to consider the case when either `indices` or `values` are provided for an empty sparse tensor when the other is not. If `indices` is empty, then [code that performs validation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L260-L261) (i.e., checking that the indices are monotonically increasing) results in a null pointer dereference. If `indices` as provided by the user is empty, then `indices` in the C++ code above is backed by an empty `std::vector`, hence calling `indices->dim_size(0)` results in null pointer dereferencing (same as calling `std::vector::at()` on an empty vector). We have patched the issue in GitHub commit 02cc160e29d20631de3859c6653184e3f876b9d7. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
Severity
7.7 (High)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/tensorflow/tensorflow/security… | x_refsource_CONFIRM |
| https://github.com/tensorflow/tensorflow/commit/0… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tensorflow | tensorflow |
Affected:
>= 2.5.0, < 2.5.1
Affected: >= 2.4.0, < 2.4.3 Affected: < 2.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:23:01.556Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c5x2-p679-95wc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/commit/02cc160e29d20631de3859c6653184e3f876b9d7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tensorflow",
"vendor": "tensorflow",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.5.0, \u003c 2.5.1"
},
{
"status": "affected",
"version": "\u003e= 2.4.0, \u003c 2.4.3"
},
{
"status": "affected",
"version": "\u003c 2.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TensorFlow is an end-to-end open source platform for machine learning. When a user does not supply arguments that determine a valid sparse tensor, `tf.raw_ops.SparseTensorSliceDataset` implementation can be made to dereference a null pointer. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L240-L251) has some argument validation but fails to consider the case when either `indices` or `values` are provided for an empty sparse tensor when the other is not. If `indices` is empty, then [code that performs validation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L260-L261) (i.e., checking that the indices are monotonically increasing) results in a null pointer dereference. If `indices` as provided by the user is empty, then `indices` in the C++ code above is backed by an empty `std::vector`, hence calling `indices-\u003edim_size(0)` results in null pointer dereferencing (same as calling `std::vector::at()` on an empty vector). We have patched the issue in GitHub commit 02cc160e29d20631de3859c6653184e3f876b9d7. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-12T18:10:27.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c5x2-p679-95wc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tensorflow/tensorflow/commit/02cc160e29d20631de3859c6653184e3f876b9d7"
}
],
"source": {
"advisory": "GHSA-c5x2-p679-95wc",
"discovery": "UNKNOWN"
},
"title": "Null pointer dereference in `SparseTensorSliceDataset` in TensorFlow",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-37647",
"STATE": "PUBLIC",
"TITLE": "Null pointer dereference in `SparseTensorSliceDataset` in TensorFlow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "tensorflow",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.5.0, \u003c 2.5.1"
},
{
"version_value": "\u003e= 2.4.0, \u003c 2.4.3"
},
{
"version_value": "\u003c 2.3.4"
}
]
}
}
]
},
"vendor_name": "tensorflow"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TensorFlow is an end-to-end open source platform for machine learning. When a user does not supply arguments that determine a valid sparse tensor, `tf.raw_ops.SparseTensorSliceDataset` implementation can be made to dereference a null pointer. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L240-L251) has some argument validation but fails to consider the case when either `indices` or `values` are provided for an empty sparse tensor when the other is not. If `indices` is empty, then [code that performs validation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L260-L261) (i.e., checking that the indices are monotonically increasing) results in a null pointer dereference. If `indices` as provided by the user is empty, then `indices` in the C++ code above is backed by an empty `std::vector`, hence calling `indices-\u003edim_size(0)` results in null pointer dereferencing (same as calling `std::vector::at()` on an empty vector). We have patched the issue in GitHub commit 02cc160e29d20631de3859c6653184e3f876b9d7. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-476: NULL Pointer Dereference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c5x2-p679-95wc",
"refsource": "CONFIRM",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c5x2-p679-95wc"
},
{
"name": "https://github.com/tensorflow/tensorflow/commit/02cc160e29d20631de3859c6653184e3f876b9d7",
"refsource": "MISC",
"url": "https://github.com/tensorflow/tensorflow/commit/02cc160e29d20631de3859c6653184e3f876b9d7"
}
]
},
"source": {
"advisory": "GHSA-c5x2-p679-95wc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-37647",
"datePublished": "2021-08-12T18:10:27.000Z",
"dateReserved": "2021-07-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:23:01.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37648 (GCVE-0-2021-37648)
Vulnerability from cvelistv5 – Published: 2021-08-12 21:15 – Updated: 2024-08-04 01:23
VLAI
Title
Incorrect validation of `SaveV2` inputs in TensorFlow
Summary
TensorFlow is an end-to-end open source platform for machine learning. In affected versions the code for `tf.raw_ops.SaveV2` does not properly validate the inputs and an attacker can trigger a null pointer dereference. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/save_restore_v2_ops.cc) uses `ValidateInputs` to check that the input arguments are valid. This validation would have caught the illegal state represented by the reproducer above. However, the validation uses `OP_REQUIRES` which translates to setting the `Status` object of the current `OpKernelContext` to an error status, followed by an empty `return` statement which just terminates the execution of the function it is present in. However, this does not mean that the kernel execution is finalized: instead, execution continues from the next line in `Compute` that follows the call to `ValidateInputs`. This is equivalent to lacking the validation. We have patched the issue in GitHub commit 9728c60e136912a12d99ca56e106b7cce7af5986. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
Severity
7.8 (High)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/tensorflow/tensorflow/security… | x_refsource_CONFIRM |
| https://github.com/tensorflow/tensorflow/commit/9… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tensorflow | tensorflow |
Affected:
>= 2.5.0, < 2.5.1
Affected: >= 2.4.0, < 2.4.3 Affected: < 2.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:23:01.284Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wp77-4gmm-7cq8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/commit/9728c60e136912a12d99ca56e106b7cce7af5986"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tensorflow",
"vendor": "tensorflow",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.5.0, \u003c 2.5.1"
},
{
"status": "affected",
"version": "\u003e= 2.4.0, \u003c 2.4.3"
},
{
"status": "affected",
"version": "\u003c 2.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions the code for `tf.raw_ops.SaveV2` does not properly validate the inputs and an attacker can trigger a null pointer dereference. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/save_restore_v2_ops.cc) uses `ValidateInputs` to check that the input arguments are valid. This validation would have caught the illegal state represented by the reproducer above. However, the validation uses `OP_REQUIRES` which translates to setting the `Status` object of the current `OpKernelContext` to an error status, followed by an empty `return` statement which just terminates the execution of the function it is present in. However, this does not mean that the kernel execution is finalized: instead, execution continues from the next line in `Compute` that follows the call to `ValidateInputs`. This is equivalent to lacking the validation. We have patched the issue in GitHub commit 9728c60e136912a12d99ca56e106b7cce7af5986. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-12T21:15:18.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wp77-4gmm-7cq8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tensorflow/tensorflow/commit/9728c60e136912a12d99ca56e106b7cce7af5986"
}
],
"source": {
"advisory": "GHSA-wp77-4gmm-7cq8",
"discovery": "UNKNOWN"
},
"title": "Incorrect validation of `SaveV2` inputs in TensorFlow",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-37648",
"STATE": "PUBLIC",
"TITLE": "Incorrect validation of `SaveV2` inputs in TensorFlow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "tensorflow",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.5.0, \u003c 2.5.1"
},
{
"version_value": "\u003e= 2.4.0, \u003c 2.4.3"
},
{
"version_value": "\u003c 2.3.4"
}
]
}
}
]
},
"vendor_name": "tensorflow"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions the code for `tf.raw_ops.SaveV2` does not properly validate the inputs and an attacker can trigger a null pointer dereference. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/save_restore_v2_ops.cc) uses `ValidateInputs` to check that the input arguments are valid. This validation would have caught the illegal state represented by the reproducer above. However, the validation uses `OP_REQUIRES` which translates to setting the `Status` object of the current `OpKernelContext` to an error status, followed by an empty `return` statement which just terminates the execution of the function it is present in. However, this does not mean that the kernel execution is finalized: instead, execution continues from the next line in `Compute` that follows the call to `ValidateInputs`. This is equivalent to lacking the validation. We have patched the issue in GitHub commit 9728c60e136912a12d99ca56e106b7cce7af5986. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-476: NULL Pointer Dereference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wp77-4gmm-7cq8",
"refsource": "CONFIRM",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wp77-4gmm-7cq8"
},
{
"name": "https://github.com/tensorflow/tensorflow/commit/9728c60e136912a12d99ca56e106b7cce7af5986",
"refsource": "MISC",
"url": "https://github.com/tensorflow/tensorflow/commit/9728c60e136912a12d99ca56e106b7cce7af5986"
}
]
},
"source": {
"advisory": "GHSA-wp77-4gmm-7cq8",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-37648",
"datePublished": "2021-08-12T21:15:18.000Z",
"dateReserved": "2021-07-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:23:01.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37649 (GCVE-0-2021-37649)
Vulnerability from cvelistv5 – Published: 2021-08-12 18:10 – Updated: 2024-08-04 01:23
VLAI
Title
Null pointer dereference in `UncompressElement` in TensorFlow
Summary
TensorFlow is an end-to-end open source platform for machine learning. The code for `tf.raw_ops.UncompressElement` can be made to trigger a null pointer dereference. The [implementation](https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/data/experimental/compression_ops.cc#L50-L53) obtains a pointer to a `CompressedElement` from a `Variant` tensor and then proceeds to dereference it for decompressing. There is no check that the `Variant` tensor contained a `CompressedElement`, so the pointer is actually `nullptr`. We have patched the issue in GitHub commit 7bdf50bb4f5c54a4997c379092888546c97c3ebd. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
Severity
7.7 (High)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/tensorflow/tensorflow/security… | x_refsource_CONFIRM |
| https://github.com/tensorflow/tensorflow/commit/7… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tensorflow | tensorflow |
Affected:
>= 2.5.0, < 2.5.1
Affected: >= 2.4.0, < 2.4.3 Affected: < 2.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:23:01.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6gv8-p3vj-pxvr"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/commit/7bdf50bb4f5c54a4997c379092888546c97c3ebd"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tensorflow",
"vendor": "tensorflow",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.5.0, \u003c 2.5.1"
},
{
"status": "affected",
"version": "\u003e= 2.4.0, \u003c 2.4.3"
},
{
"status": "affected",
"version": "\u003c 2.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TensorFlow is an end-to-end open source platform for machine learning. The code for `tf.raw_ops.UncompressElement` can be made to trigger a null pointer dereference. The [implementation](https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/data/experimental/compression_ops.cc#L50-L53) obtains a pointer to a `CompressedElement` from a `Variant` tensor and then proceeds to dereference it for decompressing. There is no check that the `Variant` tensor contained a `CompressedElement`, so the pointer is actually `nullptr`. We have patched the issue in GitHub commit 7bdf50bb4f5c54a4997c379092888546c97c3ebd. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-12T18:10:32.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6gv8-p3vj-pxvr"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tensorflow/tensorflow/commit/7bdf50bb4f5c54a4997c379092888546c97c3ebd"
}
],
"source": {
"advisory": "GHSA-6gv8-p3vj-pxvr",
"discovery": "UNKNOWN"
},
"title": "Null pointer dereference in `UncompressElement` in TensorFlow",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-37649",
"STATE": "PUBLIC",
"TITLE": "Null pointer dereference in `UncompressElement` in TensorFlow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "tensorflow",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.5.0, \u003c 2.5.1"
},
{
"version_value": "\u003e= 2.4.0, \u003c 2.4.3"
},
{
"version_value": "\u003c 2.3.4"
}
]
}
}
]
},
"vendor_name": "tensorflow"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TensorFlow is an end-to-end open source platform for machine learning. The code for `tf.raw_ops.UncompressElement` can be made to trigger a null pointer dereference. The [implementation](https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/data/experimental/compression_ops.cc#L50-L53) obtains a pointer to a `CompressedElement` from a `Variant` tensor and then proceeds to dereference it for decompressing. There is no check that the `Variant` tensor contained a `CompressedElement`, so the pointer is actually `nullptr`. We have patched the issue in GitHub commit 7bdf50bb4f5c54a4997c379092888546c97c3ebd. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-476: NULL Pointer Dereference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6gv8-p3vj-pxvr",
"refsource": "CONFIRM",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6gv8-p3vj-pxvr"
},
{
"name": "https://github.com/tensorflow/tensorflow/commit/7bdf50bb4f5c54a4997c379092888546c97c3ebd",
"refsource": "MISC",
"url": "https://github.com/tensorflow/tensorflow/commit/7bdf50bb4f5c54a4997c379092888546c97c3ebd"
}
]
},
"source": {
"advisory": "GHSA-6gv8-p3vj-pxvr",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-37649",
"datePublished": "2021-08-12T18:10:32.000Z",
"dateReserved": "2021-07-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:23:01.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37659 (GCVE-0-2021-37659)
Vulnerability from cvelistv5 – Published: 2021-08-12 20:25 – Updated: 2024-08-04 01:23
VLAI
Title
Out of bounds read via null pointer dereference in TensorFlow
Summary
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in all binary cwise operations that don't require broadcasting (e.g., gradients of binary cwise operations). The [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/cwise_ops_common.h#L264) assumes that the two inputs have exactly the same number of elements but does not check that. Hence, when the eigen functor executes it triggers heap OOB reads and undefined behavior due to binding to nullptr. We have patched the issue in GitHub commit 93f428fd1768df147171ed674fee1fc5ab8309ec. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
Severity
7.3 (High)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/tensorflow/tensorflow/security… | x_refsource_CONFIRM |
| https://github.com/tensorflow/tensorflow/commit/9… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tensorflow | tensorflow |
Affected:
>= 2.5.0, < 2.5.1
Affected: >= 2.4.0, < 2.4.3 Affected: < 2.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:23:01.517Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q3g3-h9r4-prrc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/commit/93f428fd1768df147171ed674fee1fc5ab8309ec"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tensorflow",
"vendor": "tensorflow",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.5.0, \u003c 2.5.1"
},
{
"status": "affected",
"version": "\u003e= 2.4.0, \u003c 2.4.3"
},
{
"status": "affected",
"version": "\u003c 2.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in all binary cwise operations that don\u0027t require broadcasting (e.g., gradients of binary cwise operations). The [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/cwise_ops_common.h#L264) assumes that the two inputs have exactly the same number of elements but does not check that. Hence, when the eigen functor executes it triggers heap OOB reads and undefined behavior due to binding to nullptr. We have patched the issue in GitHub commit 93f428fd1768df147171ed674fee1fc5ab8309ec. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-12T20:25:17.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q3g3-h9r4-prrc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tensorflow/tensorflow/commit/93f428fd1768df147171ed674fee1fc5ab8309ec"
}
],
"source": {
"advisory": "GHSA-q3g3-h9r4-prrc",
"discovery": "UNKNOWN"
},
"title": "Out of bounds read via null pointer dereference in TensorFlow",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-37659",
"STATE": "PUBLIC",
"TITLE": "Out of bounds read via null pointer dereference in TensorFlow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "tensorflow",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.5.0, \u003c 2.5.1"
},
{
"version_value": "\u003e= 2.4.0, \u003c 2.4.3"
},
{
"version_value": "\u003c 2.3.4"
}
]
}
}
]
},
"vendor_name": "tensorflow"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in all binary cwise operations that don\u0027t require broadcasting (e.g., gradients of binary cwise operations). The [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/cwise_ops_common.h#L264) assumes that the two inputs have exactly the same number of elements but does not check that. Hence, when the eigen functor executes it triggers heap OOB reads and undefined behavior due to binding to nullptr. We have patched the issue in GitHub commit 93f428fd1768df147171ed674fee1fc5ab8309ec. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-476: NULL Pointer Dereference"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-125: Out-of-bounds Read"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q3g3-h9r4-prrc",
"refsource": "CONFIRM",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q3g3-h9r4-prrc"
},
{
"name": "https://github.com/tensorflow/tensorflow/commit/93f428fd1768df147171ed674fee1fc5ab8309ec",
"refsource": "MISC",
"url": "https://github.com/tensorflow/tensorflow/commit/93f428fd1768df147171ed674fee1fc5ab8309ec"
}
]
},
"source": {
"advisory": "GHSA-q3g3-h9r4-prrc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-37659",
"datePublished": "2021-08-12T20:25:17.000Z",
"dateReserved": "2021-07-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:23:01.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37681 (GCVE-0-2021-37681)
Vulnerability from cvelistv5 – Published: 2021-08-12 22:00 – Updated: 2024-08-04 01:23
VLAI
Title
Null pointer exception in TensorFlow Lite
Summary
TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of SVDF in TFLite is [vulnerable to a null pointer error](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/svdf.cc#L300-L313). The [`GetVariableInput` function](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/kernel_util.cc#L115-L119) can return a null pointer but `GetTensorData` assumes that the argument is always a valid tensor. Furthermore, because `GetVariableInput` calls [`GetMutableInput`](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/kernel_util.cc#L82-L90) which might return `nullptr`, the `tensor->is_variable` expression can also trigger a null pointer exception. We have patched the issue in GitHub commit 5b048e87e4e55990dae6b547add4dae59f4e1c76. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
Severity
7.8 (High)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/tensorflow/tensorflow/security… | x_refsource_CONFIRM |
| https://github.com/tensorflow/tensorflow/commit/5… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tensorflow | tensorflow |
Affected:
>= 2.5.0, < 2.5.1
Affected: >= 2.4.0, < 2.4.3 Affected: < 2.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:23:01.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7xwj-5r4v-429p"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/commit/5b048e87e4e55990dae6b547add4dae59f4e1c76"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tensorflow",
"vendor": "tensorflow",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.5.0, \u003c 2.5.1"
},
{
"status": "affected",
"version": "\u003e= 2.4.0, \u003c 2.4.3"
},
{
"status": "affected",
"version": "\u003c 2.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of SVDF in TFLite is [vulnerable to a null pointer error](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/svdf.cc#L300-L313). The [`GetVariableInput` function](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/kernel_util.cc#L115-L119) can return a null pointer but `GetTensorData` assumes that the argument is always a valid tensor. Furthermore, because `GetVariableInput` calls [`GetMutableInput`](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/kernel_util.cc#L82-L90) which might return `nullptr`, the `tensor-\u003eis_variable` expression can also trigger a null pointer exception. We have patched the issue in GitHub commit 5b048e87e4e55990dae6b547add4dae59f4e1c76. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-12T22:00:24.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7xwj-5r4v-429p"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tensorflow/tensorflow/commit/5b048e87e4e55990dae6b547add4dae59f4e1c76"
}
],
"source": {
"advisory": "GHSA-7xwj-5r4v-429p",
"discovery": "UNKNOWN"
},
"title": "Null pointer exception in TensorFlow Lite",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-37681",
"STATE": "PUBLIC",
"TITLE": "Null pointer exception in TensorFlow Lite"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "tensorflow",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.5.0, \u003c 2.5.1"
},
{
"version_value": "\u003e= 2.4.0, \u003c 2.4.3"
},
{
"version_value": "\u003c 2.3.4"
}
]
}
}
]
},
"vendor_name": "tensorflow"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of SVDF in TFLite is [vulnerable to a null pointer error](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/svdf.cc#L300-L313). The [`GetVariableInput` function](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/kernel_util.cc#L115-L119) can return a null pointer but `GetTensorData` assumes that the argument is always a valid tensor. Furthermore, because `GetVariableInput` calls [`GetMutableInput`](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/kernel_util.cc#L82-L90) which might return `nullptr`, the `tensor-\u003eis_variable` expression can also trigger a null pointer exception. We have patched the issue in GitHub commit 5b048e87e4e55990dae6b547add4dae59f4e1c76. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-476: NULL Pointer Dereference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7xwj-5r4v-429p",
"refsource": "CONFIRM",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7xwj-5r4v-429p"
},
{
"name": "https://github.com/tensorflow/tensorflow/commit/5b048e87e4e55990dae6b547add4dae59f4e1c76",
"refsource": "MISC",
"url": "https://github.com/tensorflow/tensorflow/commit/5b048e87e4e55990dae6b547add4dae59f4e1c76"
}
]
},
"source": {
"advisory": "GHSA-7xwj-5r4v-429p",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-37681",
"datePublished": "2021-08-12T22:00:24.000Z",
"dateReserved": "2021-07-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:23:01.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37688 (GCVE-0-2021-37688)
Vulnerability from cvelistv5 – Published: 2021-08-12 22:00 – Updated: 2024-08-04 01:23
VLAI
Title
Null pointer dereference in TensorFlow Lite
Summary
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service. The [implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/internal/optimized/optimized_ops.h#L268-L285) unconditionally dereferences a pointer. We have patched the issue in GitHub commit 15691e456c7dc9bd6be203b09765b063bf4a380c. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
Severity
7.8 (High)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/tensorflow/tensorflow/security… | x_refsource_CONFIRM |
| https://github.com/tensorflow/tensorflow/commit/1… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tensorflow | tensorflow |
Affected:
>= 2.5.0, < 2.5.1
Affected: >= 2.4.0, < 2.4.3 Affected: < 2.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:23:01.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vcjj-9vg7-vf68"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/commit/15691e456c7dc9bd6be203b09765b063bf4a380c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tensorflow",
"vendor": "tensorflow",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.5.0, \u003c 2.5.1"
},
{
"status": "affected",
"version": "\u003e= 2.4.0, \u003c 2.4.3"
},
{
"status": "affected",
"version": "\u003c 2.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service. The [implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/internal/optimized/optimized_ops.h#L268-L285) unconditionally dereferences a pointer. We have patched the issue in GitHub commit 15691e456c7dc9bd6be203b09765b063bf4a380c. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-12T22:00:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vcjj-9vg7-vf68"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tensorflow/tensorflow/commit/15691e456c7dc9bd6be203b09765b063bf4a380c"
}
],
"source": {
"advisory": "GHSA-vcjj-9vg7-vf68",
"discovery": "UNKNOWN"
},
"title": "Null pointer dereference in TensorFlow Lite",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-37688",
"STATE": "PUBLIC",
"TITLE": "Null pointer dereference in TensorFlow Lite"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "tensorflow",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.5.0, \u003c 2.5.1"
},
{
"version_value": "\u003e= 2.4.0, \u003c 2.4.3"
},
{
"version_value": "\u003c 2.3.4"
}
]
}
}
]
},
"vendor_name": "tensorflow"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service. The [implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/internal/optimized/optimized_ops.h#L268-L285) unconditionally dereferences a pointer. We have patched the issue in GitHub commit 15691e456c7dc9bd6be203b09765b063bf4a380c. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-476: NULL Pointer Dereference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vcjj-9vg7-vf68",
"refsource": "CONFIRM",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vcjj-9vg7-vf68"
},
{
"name": "https://github.com/tensorflow/tensorflow/commit/15691e456c7dc9bd6be203b09765b063bf4a380c",
"refsource": "MISC",
"url": "https://github.com/tensorflow/tensorflow/commit/15691e456c7dc9bd6be203b09765b063bf4a380c"
}
]
},
"source": {
"advisory": "GHSA-vcjj-9vg7-vf68",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-37688",
"datePublished": "2021-08-12T22:00:12.000Z",
"dateReserved": "2021-07-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:23:01.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37689 (GCVE-0-2021-37689)
Vulnerability from cvelistv5 – Published: 2021-08-12 22:00 – Updated: 2024-08-04 01:23
VLAI
Title
Null pointer dereference in TensorFlow Lite MLIR optimizations
Summary
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service. This is caused by the MLIR optimization of `L2NormalizeReduceAxis` operator. The [implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/compiler/mlir/lite/transforms/optimize.cc#L67-L70) unconditionally dereferences a pointer to an iterator to a vector without checking that the vector has elements. We have patched the issue in GitHub commit d6b57f461b39fd1aa8c1b870f1b974aac3554955. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
Severity
7.8 (High)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/tensorflow/tensorflow/security… | x_refsource_CONFIRM |
| https://github.com/tensorflow/tensorflow/commit/d… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tensorflow | tensorflow |
Affected:
>= 2.5.0, < 2.5.1
Affected: >= 2.4.0, < 2.4.3 Affected: < 2.3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:23:01.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wf5p-c75w-w3wh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/commit/d6b57f461b39fd1aa8c1b870f1b974aac3554955"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tensorflow",
"vendor": "tensorflow",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.5.0, \u003c 2.5.1"
},
{
"status": "affected",
"version": "\u003e= 2.4.0, \u003c 2.4.3"
},
{
"status": "affected",
"version": "\u003c 2.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service. This is caused by the MLIR optimization of `L2NormalizeReduceAxis` operator. The [implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/compiler/mlir/lite/transforms/optimize.cc#L67-L70) unconditionally dereferences a pointer to an iterator to a vector without checking that the vector has elements. We have patched the issue in GitHub commit d6b57f461b39fd1aa8c1b870f1b974aac3554955. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-12T22:00:18.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wf5p-c75w-w3wh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tensorflow/tensorflow/commit/d6b57f461b39fd1aa8c1b870f1b974aac3554955"
}
],
"source": {
"advisory": "GHSA-wf5p-c75w-w3wh",
"discovery": "UNKNOWN"
},
"title": "Null pointer dereference in TensorFlow Lite MLIR optimizations",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-37689",
"STATE": "PUBLIC",
"TITLE": "Null pointer dereference in TensorFlow Lite MLIR optimizations"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "tensorflow",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.5.0, \u003c 2.5.1"
},
{
"version_value": "\u003e= 2.4.0, \u003c 2.4.3"
},
{
"version_value": "\u003c 2.3.4"
}
]
}
}
]
},
"vendor_name": "tensorflow"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service. This is caused by the MLIR optimization of `L2NormalizeReduceAxis` operator. The [implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/compiler/mlir/lite/transforms/optimize.cc#L67-L70) unconditionally dereferences a pointer to an iterator to a vector without checking that the vector has elements. We have patched the issue in GitHub commit d6b57f461b39fd1aa8c1b870f1b974aac3554955. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-476: NULL Pointer Dereference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wf5p-c75w-w3wh",
"refsource": "CONFIRM",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wf5p-c75w-w3wh"
},
{
"name": "https://github.com/tensorflow/tensorflow/commit/d6b57f461b39fd1aa8c1b870f1b974aac3554955",
"refsource": "MISC",
"url": "https://github.com/tensorflow/tensorflow/commit/d6b57f461b39fd1aa8c1b870f1b974aac3554955"
}
]
},
"source": {
"advisory": "GHSA-wf5p-c75w-w3wh",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-37689",
"datePublished": "2021-08-12T22:00:19.000Z",
"dateReserved": "2021-07-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:23:01.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39849 (GCVE-0-2021-39849)
Vulnerability from cvelistv5 – Published: 2021-09-29 15:39 – Updated: 2024-09-16 19:31
VLAI
Title
Adobe Acrobat Reader DC Null Pointer Dereference Could Lead To Application Denial-of-Service
Summary
Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Severity
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference (CWE-476)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/acrobat… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Acrobat Reader |
Affected:
unspecified , ≤ DC 2021 July
(custom)
Affected: unspecified , ≤ 20.0-Classic 2021 July (custom) Affected: unspecified , ≤ 17.0-Classic 2021 July (custom) Affected: unspecified , ≤ None (custom) |
Date Public
2021-09-14 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:20:33.369Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/acrobat/apsb21-55.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Acrobat Reader",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "DC 2021 July",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "20.0-Classic 2021 July",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "17.0-Classic 2021 July",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "NULL Pointer Dereference (CWE-476)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-06T15:25:22.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/acrobat/apsb21-55.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Acrobat Reader DC Null Pointer Dereference Could Lead To Application Denial-of-Service",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-09-14T23:00:00.000Z",
"ID": "CVE-2021-39849",
"STATE": "PUBLIC",
"TITLE": "Adobe Acrobat Reader DC Null Pointer Dereference Could Lead To Application Denial-of-Service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Acrobat Reader",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "DC 2021 July"
},
{
"version_affected": "\u003c=",
"version_value": "20.0-Classic 2021 July"
},
{
"version_affected": "\u003c=",
"version_value": "17.0-Classic 2021 July"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Local",
"availabilityImpact": "High",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"userInteraction": "Required",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "NULL Pointer Dereference (CWE-476)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/acrobat/apsb21-55.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb21-55.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-39849",
"datePublished": "2021-09-29T15:39:09.388Z",
"dateReserved": "2021-08-23T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:31:05.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39850 (GCVE-0-2021-39850)
Vulnerability from cvelistv5 – Published: 2021-09-29 15:38 – Updated: 2024-09-16 19:42
VLAI
Title
Adobe Acrobat Reader DC Null Pointer Dereference Could Lead To Application Denial-of-Service
Summary
Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Severity
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference (CWE-476)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/acrobat… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Acrobat Reader |
Affected:
unspecified , ≤ DC 2021 July
(custom)
Affected: unspecified , ≤ 20.0-Classic 2021 July (custom) Affected: unspecified , ≤ 17.0-Classic 2021 July (custom) Affected: unspecified , ≤ None (custom) |
Date Public
2021-09-14 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:20:33.378Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/acrobat/apsb21-55.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Acrobat Reader",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "DC 2021 July",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "20.0-Classic 2021 July",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "17.0-Classic 2021 July",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "NULL Pointer Dereference (CWE-476)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-06T15:25:15.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/acrobat/apsb21-55.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Acrobat Reader DC Null Pointer Dereference Could Lead To Application Denial-of-Service",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-09-14T23:00:00.000Z",
"ID": "CVE-2021-39850",
"STATE": "PUBLIC",
"TITLE": "Adobe Acrobat Reader DC Null Pointer Dereference Could Lead To Application Denial-of-Service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Acrobat Reader",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "DC 2021 July"
},
{
"version_affected": "\u003c=",
"version_value": "20.0-Classic 2021 July"
},
{
"version_affected": "\u003c=",
"version_value": "17.0-Classic 2021 July"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Local",
"availabilityImpact": "High",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"userInteraction": "Required",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "NULL Pointer Dereference (CWE-476)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/acrobat/apsb21-55.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb21-55.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-39850",
"datePublished": "2021-09-29T15:38:54.757Z",
"dateReserved": "2021-08-23T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:42:00.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation ID: MIT-56
Phase: Implementation
Description:
- For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Phase: Requirements
Description:
- Select a programming language that is not susceptible to these issues.
Mitigation
Phase: Implementation
Description:
- Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Phase: Architecture and Design
Description:
- Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Phase: Implementation
Description:
- Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.