What is the severity of CVE-2021-35958?

CVE-2021-35958 is classified as a moderate severity vulnerability due to the potential for arbitrary file overwrites.

How do I fix CVE-2021-35958?

To mitigate CVE-2021-35958, avoid using the tf.keras.utils.get_file method with extract=True on untrusted archives.

Which versions of TensorFlow are affected by CVE-2021-35958?

CVE-2021-35958 affects versions of TensorFlow from 0.1.0 up to and including 2.5.0.

Can CVE-2021-35958 lead to remote code execution?

CVE-2021-35958 itself does not directly lead to remote code execution, but can allow an attacker to overwrite arbitrary files on the system.

Is there a recommended workaround for CVE-2021-35958?

The recommended workaround for CVE-2021-35958 is to validate and sanitize all inputs to tf.keras.utils.get_file before extraction.

Vulnerability/
CVE-2021-35958

critical

9.1

CWE

30/6/2021

4/8/2024

CVE-2021-35958: Path Traversal

First published: Wed Jun 30 2021(Updated: )

** DISPUTED ** TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a crafted archive when tf.keras.utils.get_file is used with extract=True. NOTE: the vendor's position is that tf.keras.utils.get_file is not intended for untrusted archives.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
Google TensorFlow	<=2.5.0
	<=2.5.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2021-35958?
CVE-2021-35958 is classified as a moderate severity vulnerability due to the potential for arbitrary file overwrites.
How do I fix CVE-2021-35958?
To mitigate CVE-2021-35958, avoid using the tf.keras.utils.get_file method with extract=True on untrusted archives.
Which versions of TensorFlow are affected by CVE-2021-35958?
CVE-2021-35958 affects versions of TensorFlow from 0.1.0 up to and including 2.5.0.
Can CVE-2021-35958 lead to remote code execution?
CVE-2021-35958 itself does not directly lead to remote code execution, but can allow an attacker to overwrite arbitrary files on the system.
Is there a recommended workaround for CVE-2021-35958?
The recommended workaround for CVE-2021-35958 is to validate and sanitize all inputs to tf.keras.utils.get_file before extraction.

collector/nvd-index
agent/type
agent/severity
agent/weakness
agent/references
agent/author
agent/status
agent/softwarecombine
agent/description
collector/mitre-cve
source/MITRE
agent/first-publish-date
agent/event
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/last-modified-date
agent/source
status/disputed
vendor/google
canonical/google tensorflow
version/google tensorflow/2.5.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.