Miggo Logo

CVE-2021-37687: Heap OOB in TFLite's `Gather*` implementations

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.12677%
Published
8/25/2021
Updated
11/13/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
tensorflowpip< 2.3.42.3.4
tensorflowpip>= 2.4.0, < 2.4.32.4.3
tensorflowpip= 2.5.02.5.1
tensorflow-cpupip< 2.3.42.3.4
tensorflow-cpupip>= 2.4.0, < 2.4.32.4.3
tensorflow-cpupip= 2.5.02.5.1
tensorflow-gpupip< 2.3.42.3.4
tensorflow-gpupip>= 2.4.0, < 2.4.32.4.3
tensorflow-gpupip= 2.5.02.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing negative index validation in TFLite's gather operations. The commit diffs show:

  1. In gather_nd.cc, EvalGatherNd was modified to add a loop checking for negative indices (bb6a038)
  2. In gather.cc, both the Gather template and GatherStrings functions were patched to include negative index checks (eb92112)
  3. The original implementations processed indices directly without validation, as evidenced by the code snippets from the vulnerable versions
  4. The CWE-125 classification confirms this is an OOB read vulnerability caused by improper index validation

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*Lit*'s [`**t**rN*` impl*m*nt*tion](*ttps://*it*u*.*om/t*nsor*low/t*nsor*low/*lo*/****************************************/t*nsor*low/lit*/k*rn*ls/**t**r_n*.**#L***) *o*s not support n***tiv* in*i**s *ut t**r* *r* no ****ks *or t*is situ*

Reasoning

T** vuln*r**ility st*ms *rom missin* n***tiv* in**x v*li**tion in T*Lit*'s **t**r op*r*tions. T** *ommit *i**s s*ow: *. In **t**r_n*.**, *v*l**t**rN* w*s mo*i*i** to *** * loop ****kin* *or n***tiv* in*i**s (*******) *. In **t**r.**, *ot* t** **t**r