Arbitrary File Overwrite Vulnerability in TensorFlow's tf.keras.utils.get_file

CVE-2021-35958 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a crafted archive when tf.keras.utils.get_file is used with extract=True. NOTE: the vendor's position is that tf.keras.utils.get_file is not intended for untrusted archives

Learn more about our Web Application Penetration Testing UK.