CVE-2020-15210 — Improper Input Validation in Tensorflow

CWE-20 — Improper Input Validation CWE-787 — Out-of-bounds Write6 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 44.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow +1 more

Timeline

PublishedSep 25

Description

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and will release patch releases for all versions between 1.15 and 2.3. We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:HExploitability: 2.2 | Impact: 4.2

Affected Packages4 packages

▶NVDgoogle/tensorflow2.0.0 — 2.0.3+4

▶CVEListV5tensorflow/tensorflow< 1.15.4+4

▶PyPIintel/optimization_for_tensorflow2.0.0 — 2.0.3+5

▶NVDopensuse/leap15.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Segmentation fault in tensorflow-lite↗2020-09-25

▶

GHSA

Segmentation fault in tensorflow-lite↗2020-09-25

▶

CVEList

Segmentation fault in tensorflow-lite↗2020-09-25

▶

OSV

CVE-2020-15210: In tensorflow-lite before versions 1↗2020-09-25

▶

📋Vendor Advisories

Debian

CVE-2020-15210: tensorflow - In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a T...↗2020

▶