CVE-2020-15192 — Improper Input Validation in Intel Optimization FOR Tensorflow

CWE-20 — Improper Input Validation6 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 54.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Intel Optimization FOR Tensorflow Tensorflow Google Tensorflow +1 more

Timeline

PublishedSep 25

Description

In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes a list of strings to `dlpack.to_dlpack` there is a memory leak following an expected validation failure. The issue occurs because the `status` argument during validation failures is not properly checked. Since each of the above methods can return an error status, the `status` value must be checked before continuing. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶PyPIintel/optimization_for_tensorflow2.2.0 — 2.2.1+4

▶NVDgoogle/tensorflow2.2.0, 2.3.0+1

▶CVEListV5tensorflow/tensorflow= 2.2.0, = 2.3.0+1

▶NVDopensuse/leap15.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Memory leak in Tensorflow↗2020-09-25

▶

GHSA

Memory leak in Tensorflow↗2020-09-25

▶

OSV

CVE-2020-15192: In Tensorflow before versions 2↗2020-09-25

▶

OSV

Memory leak in Tensorflow↗2020-09-25

▶

📋Vendor Advisories

Debian

CVE-2020-15192: tensorflow - In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes a list of string...↗2020

▶