Published: 30/06/2021 Updated: 17/05/2024

CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10

CVSS v3 Base Score: 9.1 | Impact Score: 5.2 | Exploitability Score: 3.9

VMScore: 571

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P

TensorFlow up to and including 2.5.0 allows malicious users to overwrite arbitrary files via a crafted archive when tf.keras.utils.get_file is used with extract=True. NOTE: the vendor's position is that tf.keras.utils.get_file is not intended for untrusted archives

Vulnerable Product	Search on Vulmon	Subscribe to Product
google tensorflow

** DISPUTED ** TensorFlow through 250 allows attackers to overwrite arbitrary files via a crafted archive when tfkerasutilsget_file is used with extract=True NOTE: the vendor's position is that tfkerasutilsget_file is not intended for untrusted archives ...

CVE-2021-35958-2

CVE-2021-35958-1

CWE-22 https://keras.io/api/https://github.com/tensorflow/tensorflow/blob/b8cad4c631096a34461ff8a07840d5f4d123ce32/tensorflow/python/keras/utils/data_utils.py#L137 https://github.com/tensorflow/tensorflow/blob/b8cad4c631096a34461ff8a07840d5f4d123ce32/tensorflow/python/keras/README.md https://vuln.ryotak.me/advisories/52 https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall https://nvd.nist.gov https://github.com/miguelc49/CVE-2021-35958-2 https://security.archlinux.org/CVE-2021-35958

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2021-35958

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect