-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PythonPython| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| tensorflow | pip | < 2.7.2 | 2.7.2 |
| tensorflow | pip | >= 2.8.0, < 2.8.1 | 2.8.1 |
| tensorflow | pip | >= 2.9.0, < 2.9.1 | 2.9.1 |
| tensorflow-cpu | pip | < 2.7.2 | 2.7.2 |
| tensorflow-cpu | pip | >= 2.8.0, < 2.8.1 | 2.8.1 |
| tensorflow-cpu | pip | >= 2.9.0, < 2.9.1 | 2.9.1 |
| tensorflow-gpu | pip | < 2.7.2 | 2.7.2 |
| tensorflow-gpu | pip | >= 2.8.0, < 2.8.1 | 2.8.1 |
| tensorflow-gpu | pip | >= 2.9.0, < 2.9.1 | 2.9.1 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from the pre-patch implementation in draw_bounding_box_op.cc where the code used boxes.tensor<T, 3>() (line 122). The template type T allowed non-float dtypes to pass through, but the implementation required float values. The commit fixed this by explicitly using float (boxes.tensor<float, 3>()), indicating the original code lacked proper dtype enforcement. The CHECK failure occurred because the tensor access assumed float dtype, which wasn't validated before the tensor access operation. The test case modifications adding dtype handling and the explicit commit message about requiring float dtype confirm this analysis.
Ongoing coverage of React2Shell