CVE-2020-15197Improper Input Validation in Intel Optimization FOR Tensorflow

CWE-20Improper Input ValidationCWE-617Reachable Assertion6 documents5 sources
Severity
6.3MEDIUMNVD
EPSS
0.2%
top 55.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Intel Optimization FOR TensorflowTensorflowGoogle Tensorflow
Timeline
PublishedSep 25

Description

In Tensorflow before version 2.3.1, the `SparseCountSparseOutput` implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the `indices` tensor has rank 2. This tensor must be a matrix because code assumes its elements are accessed as elements of a matrix. However, malicious users can pass in tensors of different rank, resulting in a `CHECK` assertion failure and a crash. This can be used to cause denial of service in servin

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:HExploitability: 1.8 | Impact: 4.0

Affected Packages3 packages

PyPIintel/optimization_for_tensorflow2.3.02.3.1+2
CVEListV5tensorflow/tensorflow= 2.3.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CVE-2020-15197: In Tensorflow before version 22020-09-25
GHSA
Denial of Service in Tensorflow2020-09-25
OSV
Denial of Service in Tensorflow2020-09-25
CVEList
Denial of Service in Tensorflow2020-09-25

📋Vendor Advisories

1
Debian
CVE-2020-15197: tensorflow - In Tensorflow before version 2.3.1, the `SparseCountSparseOutput` implementation...2020
CVE-2020-15197 — Improper Input Validation in Intel | cvebase