AVID-2026-R0917

Description

Code injection in saved_model_cli (CVE-2021-41228)

Details

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow’s saved_model_cli tool is vulnerable to a code injection as it calls eval on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given that the tool is always run manually, the impact of this is not severe. We have patched this by adding a safe flag which defaults to True and an explicit warning for users. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-41228 describes a code injection vulnerability in TensorFlow’s saved_model_cli, which uses eval on user-supplied strings. TensorFlow is a core ML framework, and saved_model_cli is part of the AI software stack used to build, train, deploy, and run AI systems. This is a security vulnerability in a software component (dependency/tool) integral to ML pipelines, i.e., a potential supply-chain risk for general-purpose AI systems. The report provides clear evidence (NVD entry, GHSA advisory, commit) and describes the impact and fixes, satisfying sufficiency for AVID curation.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3rcw-9p9x-582v
• https://github.com/tensorflow/tensorflow/commit/8b202f08d52e8206af2bdb2112a62fafbc546ec7

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-11-05
• Version: 0.3.3
• AVID Entry