CVE-2020-5215Improper Check for Unusual or Exceptional Conditions in Tensorflow

CWE-754Improper Check for Unusual or Exceptional ConditionsCWE-20Improper Input Validation8 documents6 sources
Severity
7.5HIGHNVD
CNA5.0
EPSS
0.2%
top 53.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
TensorflowGoogle TensorflowIntel Optimization FOR Tensorflow
Timeline
PublishedJan 28
Latest updateSep 25

Description

In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a tf.float16 value. Similar effects can be obtained by manipulating saved models and checkpoints whereby replacing a scalar tf.float16 value with

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDgoogle/tensorflow2.0.02.0.1+1
CVEListV5tensorflow/tensorflow< 1.15.2+1
PyPIintel/optimization_for_tensorflow2.0.02.0.1+2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
Segmentation faultin TensorFlow when converting a Python string to `tf.float16`2020-01-28
OSV
CVE-2020-5215: In TensorFlow before 12020-01-28
OSV
Segmentation faultin TensorFlow when converting a Python string to `tf.float16`2020-01-28
CVEList
Segmentation faultin TensorFlow when converting a Python string to tf.float162020-01-28

📋Vendor Advisories

1
Debian
CVE-2020-5215: tensorflow - In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to a tf...2020

📄Research Papers

2
arXiv
APILOT: Navigating Large Language Models to Generate Secure Code by Sidestepping Outdated API Pitfalls2024-09-25
arXiv
Graphene: Infrastructure Security Posture Analysis with AI-generated Attack Graphs2024-05-01
CVE-2020-5215 — Tensorflow vulnerability | cvebase