CVE-2020-15203 — Improper Input Validation in Tensorflow

CWE-20 — Improper Input Validation CWE-134 — Use of Externally-Controlled Format String6 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 41.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow +1 more

Timeline

PublishedSep 25

Description

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the `fill` argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a `printf` call is constructed. This may result in segmentation fault. The issue is patched in commit 33be22c65d86256e6826666662e40dbdfe70ee83, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDgoogle/tensorflow2.0.0 — 2.0.3+4

▶CVEListV5tensorflow/tensorflow< 1.15.4+4

▶PyPIintel/optimization_for_tensorflow2.0.0 — 2.0.3+5

▶NVDopensuse/leap15.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Denial of Service in Tensorflow↗2020-09-25

▶

OSV

CVE-2020-15203: In Tensorflow before versions 1↗2020-09-25

▶

CVEList

Denial of Service in Tensorflow↗2020-09-25

▶

GHSA

Denial of Service in Tensorflow↗2020-09-25

▶

📋Vendor Advisories

Debian

CVE-2020-15203: tensorflow - In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controll...↗2020

▶