The vulnerability identified as CVE-2021-29593 affects Google TensorFlow, an end-to-end open source platform for machine learning. The issue lies in the implementation of the `BatchToSpaceNd` TFLite operator, which is susceptible to a division by zero error. An attacker can exploit this vulnerability by crafting a model that sets one dimension of the `block` input to zero, resulting in a corresponding value in `block_shape` also being zero. This vulnerability is classified with a CVSS score of 2.5, indicating a low severity level.
The risk to organizations includes potential service disruptions due to the low availability impact. Although this vulnerability is not classified as high-risk, organizations should still be cautious, especially if they are utilizing affected versions of TensorFlow in production environments. The urgency to address this vulnerability may be classified as low, and remediation efforts should be included in routine maintenance.
This vulnerability was published on May 14, 2021, and has been modified, indicating that the issue may have undergone further review or updates since its initial disclosure. The fix for this vulnerability is included in TensorFlow version 2.5.0, and it is also planned to be cherry-picked for earlier versions still in the support window, specifically TensorFlow 2.4.2, 2.3.3, 2.2.3, and 2.1.4.
Organizations should prioritize patching immediately to mitigate the associated risks. Regular updates and security assessments can further enhance the security posture against such vulnerabilities.
For further details on the patch, refer to the official advisory. It is critical to maintain awareness of vulnerabilities in widely-used frameworks like TensorFlow to ensure the integrity and availability of machine learning applications.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)