CVE-2021-35958

9.1CRITICAL

Key Information:

Vendor: Google
Status: Tensorflow
Vendor: CVE Published:; 30 June 2021

Summary

TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a crafted archive when tf.keras.utils.get_file is used with extract=True. NOTE: the vendor's position is that tf.keras.utils.get_file is not intended for untrusted archives

References

https://vuln.ryotak.me/advisories/52

x_refsource_MISC

https://github.com/tensorflow/tensorflow/blob/b8cad4c6310...

x_refsource_MISC

https://docs.python.org/3/library/tarfile.html#tarfile.Ta...

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 30, 2021
Vulnerability Reserved
Jun 30, 2021

Collectors

NVD DatabaseMitre Database