CVE-2021-41228

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's `saved_model_cli` tool is vulnerable to a code injection as it calls `eval` on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given that the tool is always run manually, the impact of this is not severe. We have patched this by adding a `safe` flag which defaults to `True` and an explicit warning for users. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

CVSS v3 7.8 HIGH
CVSS v2.0 4.6 MEDIUM

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.6^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 3.9 / Impact : 6.4

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/tensorflow/tensorflow/commit/8b202f08d52e8206af2bdb2112a62fafbc546ec7	Patch Third Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3rcw-9p9x-582v	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:google:tensorflow::::::::
	cpe:2.3:a:google:tensorflow::::::::
	cpe:2.3:a:google:tensorflow::::::::
	cpe:2.3:a:google:tensorflow:2.7.0:rc0::::::
	cpe:2.3:a:google:tensorflow:2.7.0:rc1::::::

History

10 Nov 2021, 13:13

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-11-05 23:15

Updated : 2024-02-04 22:08

NVD link : CVE-2021-41228

Mitre link : CVE-2021-41228

CVE.ORG link : CVE-2021-41228

JSON object : View

Products Affected

google

tensorflow

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2021-41228", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 0.8}]}, "published": "2021-11-05T23:15:08.663", "references": [{"url": "https://github.com/tensorflow/tensorflow/commit/8b202f08d52e8206af2bdb2112a62fafbc546ec7", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3rcw-9p9x-582v", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's `saved_model_cli` tool is vulnerable to a code injection as it calls `eval` on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given that the tool is always run manually, the impact of this is not severe. We have patched this by adding a `safe` flag which defaults to `True` and an explicit warning for users. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range."}, {"lang": "es", "value": "TensorFlow es una plataforma de c\u00f3digo abierto para el aprendizaje autom\u00e1tico. En las versiones afectadas, la herramienta \"saved_model_cli\" de TensorFlow es vulnerable a una inyecci\u00f3n de c\u00f3digo ya que llama a \"eval\" sobre cadenas suministradas por el usuario. Esto puede ser usado por atacantes para ejecutar c\u00f3digo arbitrario en la plataforma donde es ejecutada la herramienta CLI. Sin embargo, dado que la herramienta siempre es ejecutada manualmente, el impacto de esto no es grave. Hemos corregido esto a\u00f1adiendo una bandera \"safe\" que por defecto es \"True\" y una advertencia expl\u00edcita para usuarios. La correcci\u00f3n ser\u00e1 incluida en TensorFlow versi\u00f3n 2.7.0. Tambi\u00e9n seleccionaremos este commit en TensorFlow versi\u00f3n 2.6.1, TensorFlow versi\u00f3n 2.5.2, y TensorFlow versi\u00f3n 2.4.4, ya que estos tambi\u00e9n se ven afectados y todav\u00eda est\u00e1n en el rango admitido"}], "lastModified": "2022-10-20T21:25:37.043", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E596567-6F67-4880-8EC4-CB262BF02E0D", "versionEndExcluding": "2.4.4", "versionStartIncluding": "2.4.0"}, {"criteria": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "035CDF63-1548-4FB4-B8A9-B8D328FAF910", "versionEndExcluding": "2.5.2", "versionStartIncluding": "2.5.0"}, {"criteria": "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D68D8D1-DB27-4395-9D3D-2BED901B852C", "versionEndExcluding": "2.6.1", "versionStartIncluding": "2.6.0"}, {"criteria": "cpe:2.3:a:google:tensorflow:2.7.0:rc0:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A58EDA5C-66D6-46F1-962E-60AFB7C784A7"}, {"criteria": "cpe:2.3:a:google:tensorflow:2.7.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89522760-C2DF-400D-9624-626D8F160CBA"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}