CVSS: 5.9EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15209 – Null pointer dereference in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15209
25 Sep 2020 — In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one. The runtime assumes that these buffers are written to before a possible read, hence they are initialized with `nullptr`. However, by changing the buffer index for a tensor and implicitly converting that tensor t... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-476: NULL Pointer Dereference •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15210 – Segmentation fault in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15210
25 Sep 2020 — In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and will release patch releases for all versions between 1.15 and 2.3. We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. En tensorflow-lite versiones anteriores a 1.15.4, 2.0.3, 2.1.2... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-20: Improper Input Validation CWE-787: Out-of-bounds Write •
CVSS: 5.8EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15211 – Out of bounds access in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15211
25 Sep 2020 — In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices for the tensors, indexing into an array of tensors that is owned by the subgraph. This results in a pattern of double array indexing when trying to get the data of each tensor. However, some operators can have som... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2020-15191 – Undefined behavior in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15191
25 Sep 2020 — In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes an invalid argument to `dlpack.to_dlpack` the expected validations will cause variables to bind to `nullptr` while setting a `status` variable to the error condition. However, this `status` argument is not properly checked. Hence, code following these methods will bind references to null pointers. This is undefined behavior and reported as an error if compiling with `-fsanitize=null`. The issue is patched in commit 22e07fb204386768e5bcbea563641... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-20: Improper Input Validation CWE-252: Unchecked Return Value CWE-476: NULL Pointer Dereference •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2020-15192 – Memory leak in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15192
25 Sep 2020 — In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes a list of strings to `dlpack.to_dlpack` there is a memory leak following an expected validation failure. The issue occurs because the `status` argument during validation failures is not properly checked. Since each of the above methods can return an error status, the `status` value must be checked before continuing. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1. En... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-20: Improper Input Validation •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 1CVE-2020-15193 – Memory corruption in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15193
25 Sep 2020 — In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-908: Use of Uninitialized Resource •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15194 – Denial of Service in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15194
25 Sep 2020 — In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `SparseFillEmptyRowsGrad` implementation has incomplete validation of the shapes of its arguments. Although `reverse_index_map_t` and `grad_values_t` are accessed in a similar pattern, only `reverse_index_map_t` is validated to be of proper shape. Hence, malicious users can pass a bad `grad_values_t` to trigger an assertion failure in `vec`, causing denial of service in serving installations. The issue is patched in commit 390611e0d45c... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-20: Improper Input Validation CWE-617: Reachable Assertion •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15195 – Heap buffer overflow in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15195
25 Sep 2020 — In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the implementation of `SparseFillEmptyRowsGrad` uses a double indexing pattern. It is possible for `reverse_index_map(i)` to be an index outside of bounds of `grad_values`, thus resulting in a heap buffer overflow. The issue is patched in commit 390611e0d45c5793c7066110af37c8514e6a6c54, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. En Tensorflow versiones anteriores a 1.15.4, 2.0.3, 2.1.2, 2.2.1 y 2.3.1, la ... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15196 – Heap buffer overflow in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15196
25 Sep 2020 — In Tensorflow version 2.3.0, the `SparseCountSparseOutput` and `RaggedCountSparseOutput` implementations don't validate that the `weights` tensor has the same shape as the data. The check exists for `DenseCountSparseOutput`, where both tensors are fully specified. In the sparse and ragged count weights are still accessed in parallel with the data. But, since there is no validation, a user passing fewer weights than the values for the tensors can generate a read from outside the bounds of the heap buffer all... • https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow CWE-125: Out-of-bounds Read •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15197 – Denial of Service in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15197
25 Sep 2020 — In Tensorflow before version 2.3.1, the `SparseCountSparseOutput` implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the `indices` tensor has rank 2. This tensor must be a matrix because code assumes its elements are accessed as elements of a matrix. However, malicious users can pass in tensors of different rank, resulting in a `CHECK` assertion failure and a crash. This can be used to cause denial of service in serving installati... • https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02 • CWE-20: Improper Input Validation CWE-617: Reachable Assertion •