{"data":{"id":"4e685a8f-7171-494f-994b-e8ff949b74b0","title":"CVE-2021-35958: TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a crafted archive when tf.keras.utils.get_fil","summary":"TensorFlow versions up to 2.5.0 have a vulnerability where attackers can overwrite arbitrary files by providing a specially crafted archive when the tf.keras.utils.get_file function is used with the extract=True setting. This happens because the function doesn't properly validate file paths during extraction (a weakness called path traversal, where attackers manipulate file paths to access files outside intended directories). The vendor notes that this function was not designed to handle untrusted archives.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2021-35958","publishedAt":"2021-06-30T05:15:07.033Z","cveId":"CVE-2021-35958","cweIds":["CWE-22"],"cvssScore":"9.1","cvssSeverity":"critical","severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["TensorFlow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.01093,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-126"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}