CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2020-15213 – Denial of service in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15213
25 Sep 2020 — In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger a denial of service by causing an out of memory allocation in the implementation of segment sum. Since code uses the last element of the tensor holding them to determine the dimensionality of output tensor, attackers can use a very large value to trigger a large allocation. The issue is patched in commit 204945b19e44b57906c9344c0d00120eeeae178a and is released in TensorFlow versions 2.2.1, or 2.3.1. A potential workarou... • https://github.com/tensorflow/tensorflow/commit/204945b19e44b57906c9344c0d00120eeeae178a • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1CVE-2020-15214 – Out of bounds write in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15214
25 Sep 2020 — In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger a write out bounds / segmentation fault if the segment ids are not sorted. Code assumes that the segment ids are in increasing order, using the last element of the tensor holding them to determine the dimensionality of output tensor. This results in allocating insufficient memory for the output tensor and in a write outside the bounds of the output array. This usually results in a segmentation fault, but depending on ru... • https://github.com/tensorflow/tensorflow/commit/204945b19e44b57906c9344c0d00120eeeae178a • CWE-787: Out-of-bounds Write •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15201 – Heap buffer overflow in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15201
25 Sep 2020 — In Tensorflow before version 2.3.1, the `RaggedCountSparseOutput` implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the `splits` tensor generate a valid partitioning of the `values` tensor. Hence, the code is prone to heap buffer overflow. If `split_values` does not end with a value at least `num_values` then the `while` loop condition will trigger a read outside of the bounds of `split_values` once `batch_idx` grow... • https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02 • CWE-20: Improper Input Validation CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15202 – Integer truncation in Shard API usage
https://notcve.org/view.php?id=CVE-2020-15202
25 Sep 2020 — In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `Shard` API in TensorFlow expects the last argument to be a function taking two `int64` (i.e., `long long`) arguments. However, there are several places in TensorFlow where a lambda taking `int` or `int32` arguments is being used. In these cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on how the two arguments of the lambda are used, this can result in segfaults, read/write outside... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-197: Numeric Truncation Error CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15203 – Denial of Service in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15203
25 Sep 2020 — In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the `fill` argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a `printf` call is constructed. This may result in segmentation fault. The issue is patched in commit 33be22c65d86256e6826666662e40dbdfe70ee83, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. En Tensorflow versiones anteriores a 1.15.4, 2.0.... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-20: Improper Input Validation CWE-134: Use of Externally-Controlled Format String •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15204 – Segfault in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15204
25 Sep 2020 — In eager mode, TensorFlow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 does not set the session state. Hence, calling `tf.raw_ops.GetSessionHandle` or `tf.raw_ops.GetSessionHandleV2` results in a null pointer dereference In linked snippet, in eager mode, `ctx->session_state()` returns `nullptr`. Since code immediately dereferences this, we get a segmentation fault. The issue is patched in commit 9a133d73ae4b4664d22bd1aa6d654fec13c52ee1, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15205 – Data leak in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15205
25 Sep 2020 — In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `data_splits` argument of `tf.raw_ops.StringNGrams` lacks validation. This allows a user to pass values that can cause heap overflow errors and even leak contents of memory In the linked code snippet, all the binary strings after `ee ff` are contents from the memory stack. Since these can contain return addresses, this data leak can be used to defeat ASLR. The issue is patched in commit 0462de5b544ed4731aa2fb23946ac22c01856b80, and is ... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15206 – Denial of Service in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15206
25 Sep 2020 — In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, changing the TensorFlow's `SavedModel` protocol buffer and altering the name of required keys results in segfaults and data corruption while loading the model. This can cause a denial of service in products using `tensorflow-serving` or other inference-as-a-service installments. Fixed were added in commits f760f88b4267d981e13f4b302c437ae800445968 and fcfef195637c6e365577829c4d67681695956e7d (both going into TensorFlow 2.2.0 and 2.3.0 but n... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 1%CPEs: 6EXPL: 1CVE-2020-15207 – Segfault and data corruption in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15207
25 Sep 2020 — In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mimic Python's indexing with negative values, TFLite uses `ResolveAxis` to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the `DCHECK` does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption. The issue is patched in c... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15208 – Data corruption in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15208
25 Sep 2020 — In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can craft cases where this is larger than that of the second tensor. In turn, this would result in reads/writes outside of bounds since the interpreter will wrongly assume that there is enough data in both tensors. T... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •