Miggo Logo

CVE-2021-29521: Segfault in SparseCountSparseOutput

2.5

CVSS Score
3.1

Basic Information

EPSS Score
0.01803%
Published
5/21/2021
Updated
10/28/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
tensorflowpip>= 2.3.0, < 2.3.32.3.3
tensorflowpip>= 2.4.0, < 2.4.22.4.2
tensorflow-cpupip>= 2.3.0, < 2.3.32.3.3
tensorflow-cpupip>= 2.4.0, < 2.4.22.4.2
tensorflow-gpupip>= 2.3.0, < 2.3.32.3.3
tensorflow-gpupip>= 2.4.0, < 2.4.22.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the code segment where 'num_batches' is derived directly from the first element of 'dense_shape' tensor (lines 199-213 in count_ops.cc). The unvalidated use of user-controlled input to initialize a std::vector-based structure violates std::vector's invariants when negative values are provided. The patched commit adds explicit validation for non-negative dense_shape elements, confirming this was the root cause. The function's direct handling of untrusted input and lack of pre-validation make it clearly vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Sp**i*yin* * n***tiv* **ns* s**p* in `t*.r*w_ops.Sp*rs**ountSp*rs*Output` r*sults in * s**m*nt*tion **ult **in* t*rown out *rom t** st*n**r* li*r*ry *s `st*::v**tor` inv*ri*nts *r* *rok*n. ```pyt*on import t*nsor*low *s t* in*i**s = t*.*

Reasoning

T** vuln*r**ility st*ms *rom t** *o** s**m*nt w**r* 'num_**t***s' is **riv** *ir**tly *rom t** *irst *l*m*nt o* '**ns*_s**p*' t*nsor (lin*s ***-*** in *ount_ops.**). T** unv*li**t** us* o* us*r-*ontroll** input to initi*liz* * st*::v**tor-**s** stru*