Lucene search
GoogleOSV:PYSEC-2021-789HistoryAug 12, 2021 - 11:15 p.m.
PYSEC-2021-789
2021-08-1223:15:00
Google
osv.dev
12
tensorflow
keras
yaml deserialization
EPSS
0
Percentile
12.6%
TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The implementation uses yaml.unsafe_load which can perform arbitrary code execution on the input. Given that YAML format support requires a significant amount of work, we have removed it for now. We have patched the issue in GitHub commit 23d6383eb6c14084a8fc3bdf164043b974818012. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
Related
cvelist
cvelist
CVE-2021-37678 Arbitrary code execution due to YAML deserialization
2021-08-12 23:05:10
cve
cve
CVE-2021-37678
2021-08-12 23:15:08
githubexploit
githubexploit
Exploit for Deserialization of Untrusted Data in Google Tensorflow
2021-09-09 12:55:55
osv
osv
CVE-2021-37678
2021-08-12 23:15:08
BIT-tensorflow-2021-37678
2024-03-06 11:16:58
Arbitrary code execution due to YAML deserialization
2021-08-25 14:41:12
cnvd
cnvd
Google TensorFlow arbitrary code execution vulnerability
2021-08-13 00:00:00
prion
prion
Buffer overflow
2021-08-12 23:15:00
nvd
nvd
CVE-2021-37678
2021-08-12 23:15:08
github
github
Arbitrary code execution due to YAML deserialization
2021-08-25 14:41:12
suse
suse
Security update for tensorflow2 (moderate)
2022-06-18 00:00:00
nessus
nessus
openSUSE 15 Security Update : tensorflow2 (openSUSE-SU-2022:10014-1)
2022-06-19 00:00:00