CVE-2021-37637: 
Python vulnerability analysis and mitigation

TensorFlow, an end-to-end open source platform for machine learning, was found to contain a vulnerability identified as CVE-2021-37637. The vulnerability involves a null pointer dereference that could be triggered by passing an invalid input to tf.raw_ops.CompressElement. This security issue was discovered and reported by members of the Aivul Team from Qihoo 360, and was also independently identified internally by the TensorFlow team (GitHub Advisory).

The vulnerability stems from a implementation flaw where the code was accessing the size of a buffer obtained from the return of a separate function call before validating that said buffer is valid. The issue was present in the compression_utils.cc file. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) by NVD and 7.7 (HIGH) by GitHub, with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability affects multiple versions of TensorFlow, including versions from 2.3.0 up to 2.3.4, 2.4.0 up to 2.4.3, version 2.5.0, and release candidates of version 2.6.0 (rc0, rc1, rc2). When exploited, the vulnerability could lead to a null pointer dereference, potentially causing application crashes (NVD).

The vulnerability has been patched in GitHub commit 5dc7f6981fdaf74c8c5be41f393df705841fb7c5. The fix was included in TensorFlow 2.6.0 and was backported to versions 2.5.1, 2.4.3, and 2.3.4. Users are advised to upgrade to these patched versions to mitigate the vulnerability (GitHub Advisory).