CVE-2021-37xxx
This challenge covers the review of a CVE and its patch
In this lab, you will engage in a comprehensive code review of TensorFlow's model_config.py file. The primary objective is to identify vulnerabilities by examining the code and then verify your findings using the provided patch file. The code includes functions to instantiate Keras models from various configurations such as JSON and YAML, where the latter presents a security risk due to the possibility of arbitrary code execution.
The patch highlights critical changes, such as the removal of the YAML deserialization feature due to its inherent security risks. By analyzing the code and patch, you will gain insights into secure coding practices and the importance of updating legacy code to mitigate vulnerabilities. This exercise will enhance your ability to recognize and address potential security flaws in codebases.