Miggo Logo

CVE-2021-37682: Use of unitialized value in TFLite

4.4

CVSS Score
3.1

Basic Information

EPSS Score
0.1052%
Published
8/25/2021
Updated
11/13/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
tensorflowpip< 2.3.42.3.4
tensorflowpip>= 2.4.0, < 2.4.32.4.3
tensorflowpip= 2.5.02.5.1
tensorflow-cpupip< 2.3.42.3.4
tensorflow-cpupip>= 2.4.0, < 2.4.32.4.3
tensorflow-cpupip= 2.5.02.5.1
tensorflow-gpupip< 2.3.42.3.4
tensorflow-gpupip>= 2.4.0, < 2.4.32.4.3
tensorflow-gpupip= 2.5.02.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from accessing quantization.params without validating quantization.type first. The patched commits explicitly add TF_LITE_ENSURE checks for quantization.type != kTfLiteNoQuantization before accessing params in these functions. The functions are clearly identified in the commit diffs across multiple files (unidirectional_sequence_lstm.cc, svdf.cc, depthwise_conv.cc), all following the same vulnerability pattern of missing quantization type checks when handling quantization parameters.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ll T*Lit* op*r*tions t**t us* qu*ntiz*tion **n ** m*** to us* uniti*liz** v*lu*s. [*or *x*mpl*](*ttps://*it*u*.*om/t*nsor*low/t*nsor*low/*lo*/****************************************/t*nsor*low/lit*/k*rn*ls/**pt*wis*_*onv.**#L***-L***):

Reasoning

T** vuln*r**ility st*ms *rom ****ssin* qu*ntiz*tion.p*r*ms wit*out v*li**tin* qu*ntiz*tion.typ* *irst. T** p*t**** *ommits *xpli*itly *** T*_LIT*_*NSUR* ****ks *or qu*ntiz*tion.typ* != kT*Lit*NoQu*ntiz*tion ***or* ****ssin* p*r*ms in t**s* *un*tions.