CVE-2020-15207
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
Summary
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mimic Python's indexing with negative values, TFLite uses ResolveAxis to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the DCHECK does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption. The issue is patched in commit 2d88f470dea2671b430884260f3626b1fe99830a, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| tensorflow | tensorflow | < 1.15.4 | affected |
| tensorflow | tensorflow | >= 2.0.0, < 2.0.3 | affected |
| tensorflow | tensorflow | >= 2.1.0, < 2.1.2 | affected |
| tensorflow | tensorflow | >= 2.2.0, < 2.2.1 | affected |
| tensorflow | tensorflow | >= 2.3.0, < 2.3.1 | affected |
Weaknesses
- CWE-119: {"CWE-119":"Improper Restriction of Operations within the Bounds of a Memory Buffer"}
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q4qf-3fc6-8x34
- https://github.com/tensorflow/tensorflow/commit/2d88f470dea2671b430884260f3626b1fe99830a
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html
References
- https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q4qf-3fc6-8x34
- https://github.com/tensorflow/tensorflow/commit/2d88f470dea2671b430884260f3626b1fe99830a
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.