Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Arbitrary code execution due to YAML deserialization
Vulnerability Description
TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/python/keras/saving/model_config.py#L66-L104) uses `yaml.unsafe_load` which can perform arbitrary code execution on the input. Given that YAML format support requires a significant amount of work, we have removed it for now. We have patched the issue in GitHub commit 23d6383eb6c14084a8fc3bdf164043b974818012. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
可信数据的反序列化
Vulnerability Title
Google TensorFlow 代码问题漏洞
Vulnerability Description
Google TensorFlow是美国谷歌(Google)公司的一套用于机器学习的端到端开源平台。 TensorFlow 中存在代码问题漏洞,该漏洞源于产品从YAML格式反序列化到Keras模型时未对输入数据做有效验证,攻击者可通过该漏洞导致代码执行。以下产品及版本收到影响:TensorFlow 2.5.1、TensorFlow 2.4.3 和 TensorFlow 2.3.4。
CVSS Information
N/A
Vulnerability Type
N/A