CVE-2021-35958 : Security Advisory and Response
Learn about CVE-2021-35958, a vulnerability in TensorFlow up to 2.5.0 that allows attackers to overwrite files via crafted archives when using `tf.keras.utils.get_file`. Understand impact, mitigation, and prevention.
TensorFlow through 2.5.0 has a vulnerability that allows attackers to overwrite arbitrary files by exploiting a crafted archive when
tf.keras.utils.get_fileextract=TrueUnderstanding CVE-2021-35958
This section delves into the details of the CVE-2021-35958 vulnerability.
What is CVE-2021-35958?
TensorFlow versions up to 2.5.0 are susceptible to a file overwrite issue through a specially crafted archive using
tf.keras.utils.get_fileextract=TrueThe Impact of CVE-2021-35958
The impact of this vulnerability is significant as it enables attackers to overwrite files through malicious archives, potentially leading to unauthorized access and data manipulation.
Technical Details of CVE-2021-35958
Explore the technical aspects of CVE-2021-35958 below.
Vulnerability Description
The vulnerability allows threat actors to overwrite arbitrary files by manipulating a crafted archive during the file extraction process with
tf.keras.utils.get_fileAffected Systems and Versions
All TensorFlow versions up to 2.5.0 are affected by this vulnerability.
Exploitation Mechanism
Attackers can exploit this vulnerability by providing a malicious archive when utilizing the
tf.keras.utils.get_fileextract=TrueMitigation and Prevention
Discover how to mitigate and prevent exploitation of CVE-2021-35958 below.
Immediate Steps to Take
To address this issue, users should refrain from using
tf.keras.utils.get_fileLong-Term Security Practices
Implement a robust security policy that includes thorough validation of file inputs and regular security updates to prevent similar vulnerabilities in the future.
Patching and Updates
Ensure that you update TensorFlow to a patched version beyond 2.5.0 to mitigate the risk posed by CVE-2021-35958.