CVE-2021-29519: 
Python vulnerability analysis and mitigation

TensorFlow, an end-to-end open source platform for machine learning, was found to contain a vulnerability in the API of tf.raw_ops.SparseCross (CVE-2021-29519). The vulnerability was discovered by Yakun Zhang and Ying Wang of Baidu X-Team and disclosed on May 14, 2021. The issue affects TensorFlow versions prior to 2.5.0, including versions 2.1.x, 2.2.x, 2.3.x, and 2.4.x (GitHub Advisory).

The vulnerability stems from a type confusion issue where the implementation is tricked to consider a tensor of type tstring which contains integral elements. This confusion occurs in the implementation at tensorflow/core/kernels/sparsecrossop.cc, where the code fails to properly validate the mixing of DT_STRING and DT_INT64 types. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) by NIST NVD, while GitHub rates it as LOW severity (NVD).

When exploited, this vulnerability results in a CHECK-failure leading to a denial of service condition. The issue occurs when specific combinations of inputs are provided to the tf.raw_ops.SparseCross operation, causing the system to fail when validating tensor types (GitHub Advisory).

The issue has been patched in TensorFlow 2.5.0. Additionally, the fix has been backported to TensorFlow versions 2.4.2, 2.3.3, 2.2.3, and 2.1.4. Users are advised to upgrade to these patched versions. The fix involves preventing the mixing of DT_STRING and DT_INT64 types in the implementation (GitHub Advisory, TensorFlow Patch).