CVE-2021-37670: 
Python vulnerability analysis and mitigation

TensorFlow, an end-to-end open source platform for machine learning, was found to contain a vulnerability (CVE-2021-37670) where an attacker could read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to tf.raw_ops.UpperBound. The vulnerability was discovered and disclosed in August 2021, affecting TensorFlow versions prior to 2.6.0. The issue impacted both UpperBound and LowerBound operations (TF Advisory, NVD).

The vulnerability stems from insufficient validation of input tensor ranks in the implementation. Specifically, the code accesses the first two dimensions of the sorted_inputs_t tensor without validating that it has at least rank 2. This oversight allows attackers to trigger out-of-bounds memory reads by providing specially crafted arguments. The CVSS v3.1 base score is 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (TF Advisory).

The vulnerability allows attackers to read data outside the bounds of heap-allocated memory, potentially exposing sensitive information from the application's memory space. This could lead to information disclosure and potential system compromise (TF Advisory).

The issue has been patched in TensorFlow versions 2.3.4, 2.4.3, 2.5.1, and 2.6.0. The fix implements proper validation of input tensor ranks before accessing their dimensions. Users are strongly recommended to upgrade to these patched versions. The fix was implemented in GitHub commit 42459e4273c2e47a3232cc16c4f4fff3b3a35c38 (TF Advisory).