CVE-2021-37668: 
Python vulnerability analysis and mitigation

TensorFlow, an end-to-end open source platform for machine learning, was found to contain a vulnerability (CVE-2021-37668) that was disclosed on August 12, 2021. The vulnerability affects versions prior to 2.3.4, 2.4.3, 2.5.1, and 2.6.0. This security flaw allows attackers to cause denial of service in applications serving models using tf.raw_ops.UnravelIndex by triggering a division by zero error (GitHub Advisory, NVD).

The vulnerability exists in the implementation of tf.raw_ops.UnravelIndex where the code does not validate that the tensor subsumed by dims is not empty. When an element of dims is 0, the implementation performs a division by zero operation, leading to a crash. The issue was assigned a CVSS v3.1 Base Score of 5.5 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability can cause denial of service in applications that use the affected TensorFlow versions, specifically those utilizing the tf.raw_ops.UnravelIndex operation. The impact is limited to availability, with no direct effect on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in TensorFlow versions 2.3.4, 2.4.3, 2.5.1, and 2.6.0. The fix was implemented in GitHub commit a776040a5e7ebf76eeb7eb923bf1ae417dd4d233, which adds validation to ensure that the dims input cannot contain zero values (GitHub Advisory).