5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-37684

GHSA ID

GHSA-q7f7-544h-67h9

EPSS Score

0.00376%

CWE

CWE-369

Published

8/25/2021

Updated

11/13/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-37684

CVE-2021-37684: FPE in TFLite pooling operations

Impact

The implementations of pooling in TFLite are vulnerable to division by 0 errors as there are no checks for divisors not being 0.

Patches

We have patched the issue in GitHub commit dfa22b348b70bb89d6d6ec0ff53973bacb4f4695.

The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by members of the Aivul Team from Qihoo 360.

(GitHub Advisory)

5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-37684

GHSA ID

GHSA-q7f7-544h-67h9

EPSS Score

0.00376%

CWE

CWE-369

Published

8/25/2021

Updated

11/13/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tensorflow	pip	< 2.3.4	2.3.4
tensorflow	pip	>= 2.4.0, < 2.4.3	2.4.3
tensorflow	pip	= 2.5.0	2.5.1
tensorflow-cpu	pip	< 2.3.4	2.3.4
tensorflow-cpu	pip	>= 2.4.0, < 2.4.3	2.4.3
tensorflow-cpu	pip	= 2.5.0	2.5.1
tensorflow-gpu	pip	< 2.3.4	2.3.4
tensorflow-gpu	pip	>= 2.4.0, < 2.4.3	2.4.3
tensorflow-gpu	pip	= 2.5.0	2.5.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing divisor validation in TFLite pooling operations. The commit dfa22b348b70bb89d6d6ec0ff53973bacb4f4695 adds safety checks for zero divisors in pooling dimension calculations. Key functions involved would be those handling pooling parameter computation (PoolParams::ComputePaddingHeightWidth) and the actual pooling execution (AveragePool2D::Eval), as these are standard locations where dimension validation occurs in TensorFlow's pooling implementations. The confidence is high because the vulnerability description explicitly mentions TFLite pooling operations and division-by-zero errors, which align with these core pooling functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** impl*m*nt*tions o* poolin* in T*Lit* *r* vuln*r**l* to *ivision *y * *rrors *s t**r* *r* no ****ks *or *ivisors not **in* *. ### P*t***s W* **v* p*t**** t** issu* in *it*u* *ommit [****************************************](*ttps://*i

Reasoning

T** vuln*r**ility st*ms *rom missin* *ivisor v*li**tion in T*Lit* poolin* op*r*tions. T** *ommit **************************************** ***s s***ty ****ks *or z*ro *ivisors in poolin* *im*nsion **l*ul*tions. K*y *un*tions involv** woul* ** t*os* **

5.5

Basic Information

Concerned about an active attack path?

CVE-2021-37684: FPE in TFLite pooling operations

Impact

Patches

For more information

Attribution

5.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI