CVE-2021-37647: 
Python vulnerability analysis and mitigation

TensorFlow, an end-to-end open source platform for machine learning, was found to contain a vulnerability (CVE-2021-37647) in its SparseTensorSliceDataset implementation. The vulnerability was discovered and disclosed in August 2021, affecting TensorFlow versions prior to 2.6.0. The issue occurs when a user provides invalid arguments for a sparse tensor, where either indices or values are empty while the other is not (TensorFlow Advisory).

The vulnerability stems from insufficient argument validation in the SparseTensorSliceDataset implementation. When indices is empty but values are provided (or vice versa), the code attempts to perform validation by checking if indices are monotonically increasing. This leads to a null pointer dereference as the indices pointer is backed by an empty std::vector, making indices->dim_size(0) cause a null pointer dereference. The issue is similar to calling std::vector::at() on an empty vector (TensorFlow Advisory).

The vulnerability can lead to a null pointer dereference, which results in a program crash and potential denial of service when exploited. The severity of this vulnerability is rated as LOW according to the official assessment (TensorFlow Advisory).

The issue has been patched in TensorFlow versions 2.3.4, 2.4.3, 2.5.1, and 2.6.0. The fix was implemented in GitHub commit 02cc160e29d20631de3859c6653184e3f876b9d7, which adds proper validation to ensure that if either indices or values are empty, the other must also be empty (TensorFlow Patch).

The vulnerability was reported by members of the Aivul Team from Qihoo 360, demonstrating ongoing security research in the machine learning infrastructure space (TensorFlow Advisory).