CVE-2020-15202 — Numeric Truncation Error in Tensorflow

CWE-197 — Numeric Truncation Error CWE-754 — Improper Check for Unusual or Exceptional Conditions6 documents5 sources

Severity

9.0CRITICALNVD

EPSS

0.5%

top 33.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow +1 more

Timeline

PublishedSep 25

Description

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `Shard` API in TensorFlow expects the last argument to be a function taking two `int64` (i.e., `long long`) arguments. However, there are several places in TensorFlow where a lambda taking `int` or `int32` arguments is being used. In these cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on how the two arguments of the lambda are used, this can result in segfaults, read/w…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.2 | Impact: 6.0

Affected Packages4 packages

▶NVDgoogle/tensorflow2.0.0 — 2.0.3+4

▶CVEListV5tensorflow/tensorflow< 1.15.4+4

▶PyPIintel/optimization_for_tensorflow2.0.0 — 2.0.3+6

▶NVDopensuse/leap15.2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Integer truncation in Shard API usage↗2020-09-25

▶

OSV

CVE-2020-15202: In Tensorflow before versions 1↗2020-09-25

▶

GHSA

Integer truncation in Shard API usage↗2020-09-25

▶

CVEList

Integer truncation in Shard API usage↗2020-09-25

▶

📋Vendor Advisories

Debian

CVE-2020-15202: tensorflow - In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `Shard`...↗2020

▶