CVE-2021-29513: 
Python vulnerability analysis and mitigation

TensorFlow, an end-to-end open source platform for machine learning, was found to have a vulnerability (CVE-2021-29513) related to type confusion during tensor casts. The vulnerability was discovered when calling TensorFlow operations with tensors of non-numeric types when the operations expect numeric tensors, resulting in null pointer dereferences. The issue affects TensorFlow versions up to 2.1.4, 2.2.3, 2.3.3, and 2.4.2 (GitHub Advisory).

The vulnerability stems from a type confusion in the conversion from Python array to C++ array. When processing certain tensor types, the pyarraytype is NPYVOID but the descr field has descr->field = NULL. This leads to a null pointer dereference in the PyArrayDescrtoTFDataType function when PyDictNext attempts to dereference the first argument. The vulnerability received a CVSS v3.1 base score of 7.8 (HIGH) from NVD, while GitHub assessed it with a score of 2.5 (LOW) (NVD).

When exploited, this vulnerability can result in null pointer dereferences, which could potentially lead to application crashes. The issue affects multiple versions of TensorFlow and could impact applications that process non-numeric tensor types with operations expecting numeric tensors (GitHub Advisory).

The vulnerability was patched in TensorFlow 2.5.0. The fix was also backported to TensorFlow versions 2.4.2, 2.3.3, 2.2.3, and 2.1.4. Users are advised to upgrade to these patched versions. The fix was implemented in GitHub commit 030af767d357d1b4088c4a25c72cb3906abac489 (GitHub Advisory).