Miggo Logo

CVE-2021-29607: Incomplete validation in `SparseSparseMinimum`

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.14711%
Published
3/18/2022
Updated
11/13/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
tensorflowpip< 2.1.42.1.4
tensorflowpip>= 2.2.0, < 2.2.32.2.3
tensorflowpip>= 2.3.0, < 2.3.32.3.3
tensorflowpip>= 2.4.0, < 2.4.22.4.2
tensorflow-cpupip< 2.1.42.1.4
tensorflow-cpupip>= 2.2.0, < 2.2.32.2.3
tensorflow-cpupip>= 2.3.0, < 2.3.32.3.3
tensorflow-cpupip>= 2.4.0, < 2.4.22.4.2
tensorflow-gpupip< 2.1.42.1.4
tensorflow-gpupip>= 2.2.0, < 2.2.32.2.3
tensorflow-gpupip>= 2.3.0, < 2.3.32.3.3
tensorflow-gpupip>= 2.4.0, < 2.4.22.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing validation checks in the SparseSparseBinaryOpShared::Compute function, as shown in the commit diffs. The original code lacked checks for:

  1. Empty tensors (num_dims > 0)
  2. a_shape_t->NumElements() == num_dims (shape/indices dimension alignment)
  3. Matching indices dimensions between a and b inputs These missing validations were explicitly added in the patches to sparse_sparse_binary_op_shared.cc, confirming this function as the vulnerable entry point. The CWE-754 classification further supports that this is an improper validation of exceptional conditions scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In*ompl*t* v*li**tion in `Sp*rs****` r*sults in *llowin* *tt**k*rs to *xploit un***in** ****vior (**r***r*n*in* null point*rs) *s w*ll *s writ* outsi** o* *oun*s o* ***p *llo**t** **t*: ```pyt*on import t*nsor*low *s t* *_in*i**s = t*.o

Reasoning

T** vuln*r**ility st*ms *rom missin* v*li**tion ****ks in t** Sp*rs*Sp*rs**in*ryOpS**r**::*omput* *un*tion, *s s*own in t** *ommit *i**s. T** ori*in*l *o** l**k** ****ks *or: *. *mpty t*nsors (num_*ims > *) *. *_s**p*_t->Num*l*m*nts() == num_*ims (s*