CVE-2020-15214 — Out-of-bounds Write in Google Tensorflow

CWE-787 — Out-of-bounds Write6 documents5 sources

Severity

8.1HIGHNVD

EPSS

0.3%

top 50.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Tensorflow Intel Optimization FOR Tensorflow Tensorflow

Timeline

PublishedSep 25

Description

In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger a write out bounds / segmentation fault if the segment ids are not sorted. Code assumes that the segment ids are in increasing order, using the last element of the tensor holding them to determine the dimensionality of output tensor. This results in allocating insufficient memory for the output tensor and in a write outside the bounds of the output array. This usually results in a segmentation fault, but dep…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:HExploitability: 2.2 | Impact: 5.3

Affected Packages3 packages

▶NVDgoogle/tensorflow2.2.0 — 2.2.1+1

▶PyPIintel/optimization_for_tensorflow2.2.0 — 2.2.1+2

▶CVEListV5tensorflow/tensorflow>= 2.2.0, < 2.2.1, >= 2.3.0, < 2.3.1+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2020-15214: In TensorFlow Lite before versions 2↗2020-09-25

▶

OSV

Out of bounds write in tensorflow-lite↗2020-09-25

▶

GHSA

Out of bounds write in tensorflow-lite↗2020-09-25

▶

CVEList

Out of bounds write in tensorflow-lite↗2020-09-25

▶

📋Vendor Advisories

Debian

CVE-2020-15214: tensorflow - In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can...↗2020

▶