CVE-2020-15207Improper Restriction of Operations within the Bounds of a Memory Buffer in Tensorflow

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-787Out-of-bounds Write6 documents5 sources
Severity
9.0CRITICALNVD
CNA8.7
EPSS
1.4%
top 19.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
TensorflowGoogle TensorflowIntel Optimization FOR Tensorflow+1 more
Timeline
PublishedSep 25

Description

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mimic Python's indexing with negative values, TFLite uses `ResolveAxis` to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the `DCHECK` does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption. The issue is

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.2 | Impact: 6.0

Affected Packages4 packages

NVDgoogle/tensorflow2.0.02.0.3+4
CVEListV5tensorflow/tensorflow< 1.15.4+4
PyPIintel/optimization_for_tensorflow2.0.02.0.3+5
NVDopensuse/leap15.2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CVE-2020-15207: In tensorflow-lite before versions 12020-09-25
GHSA
Segfault and data corruption in tensorflow-lite2020-09-25
CVEList
Segfault and data corruption in tensorflow-lite2020-09-25
OSV
Segfault and data corruption in tensorflow-lite2020-09-25

📋Vendor Advisories

1
Debian
CVE-2020-15207: tensorflow - In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mim...2020
CVE-2020-15207 — Tensorflow vulnerability | cvebase