CVE-2021-37642

Name
CVE-2021-37642
Description
TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.ResourceScatterDiv` is vulnerable to a division by 0 error. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/resource_variable_ops.cc#L865) uses a common class for all binary operations but fails to treat the division by 0 case separately. We have patched the issue in GitHub commit 4aacb30888638da75023e6601149415b39763d76. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/tensorflow/tensorflow/commit/4aacb30888638da75023e6601149415b39763d76
CONFIRM https://github.com/tensorflow/tensorflow/security/advisories/GHSA-ch4f-829c-v5pw

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:* tensorflow >= 2.3.0 < 2.3.4
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:* tensorflow >= 2.4.0 < 2.4.3
cpe:2.3:a:google:tensorflow:2.5.0:*:*:*:*:*:*:* tensorflow == None == 2.5.0
cpe:2.3:a:google:tensorflow:2.6.0:rc0:*:*:*:*:*:* tensorflow == None == 2.6.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status