CVE-2021-37691: 
Python vulnerability analysis and mitigation

CVE-2021-37691 is a vulnerability in TensorFlow, an end-to-end open source platform for machine learning. The vulnerability was discovered in July 2021 and affects TensorFlow versions from 2.3.0 to 2.6.0-rc2. The issue allows an attacker to craft a TFLite model that triggers a division by zero error in the LSH (Locality-Sensitive Hashing) implementation (GitHub Advisory).

The vulnerability exists in the LSH implementation where there is no validation check to ensure that the first dimension of the input tensor is non-zero. This oversight can lead to a division by zero error when calculating inputitembytes by dividing the input tensor's bytes by SizeOfDimension(input, 0). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can cause a division by zero error when processing specially crafted TFLite models, potentially leading to application crashes or denial of service conditions. The impact is limited to availability with no direct consequences for confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in GitHub commit 0575b640091680cfb70f4dd93e70658de43b94f9. The fix is included in TensorFlow 2.6.0 and has been backported to TensorFlow 2.5.1, 2.4.3, and 2.3.4. Users should upgrade to these patched versions to mitigate the vulnerability (GitHub Advisory).