Miggo Logo

CVE-2021-37660: Division by 0 in inplace operations

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.00644%
Published
8/25/2021
Updated
11/13/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
tensorflowpip< 2.3.42.3.4
tensorflowpip>= 2.4.0, < 2.4.32.4.3
tensorflowpip= 2.5.02.5.1
tensorflow-cpupip< 2.3.42.3.4
tensorflow-cpupip>= 2.4.0, < 2.4.32.4.3
tensorflow-cpupip= 2.5.02.5.1
tensorflow-gpupip< 2.3.42.3.4
tensorflow-gpupip>= 2.4.0, < 2.4.32.4.3
tensorflow-gpupip= 2.5.02.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the Compute method in the InplaceOpBase class (used by inplace operations like InplaceSub/InplaceAdd). The GitHub diff shows the critical '||' to '&&' fix in this method's condition check. This method is shared across all inplace operations, making it the root cause. The example uses InplaceSub, but the vulnerability is inherited by all ops using this base implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n *tt**k*r **n **us* * *lo*tin* point *x**ption *y **llin* inpl*** op*r*tions wit* *r**t** *r*um*nts t**t woul* r*sult in * *ivision *y *: ```pyt*on import t*nsor*low *s t* t*.r*w_ops.Inpl***Su*(x=[],i=[-**,-*,-*],v=[*,*,*]) ``` T** [i

Reasoning

T** vuln*r**ility st*ms *rom t** `*omput*` m*t*o* in t** `Inpl***Op**s*` *l*ss (us** *y inpl*** op*r*tions lik* `Inpl***Su*`/`Inpl******`). T** *it*u* *i** s*ows t** *riti**l '||' to '&&' *ix in t*is m*t*o*'s *on*ition ****k. T*is m*t*o* is s**r** **