CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15198 – Heap buffer overflow in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15198
25 Sep 2020 — In Tensorflow before version 2.3.1, the `SparseCountSparseOutput` implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the `indices` tensor has the same shape as the `values` one. The values in these tensors are always accessed in parallel. Thus, a shape mismatch can result in accesses outside the bounds of heap allocated buffers. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow v... • https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15199 – Denial of Service in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15199
25 Sep 2020 — In Tensorflow before version 2.3.1, the `RaggedCountSparseOutput` does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the `splits` tensor has the minimum required number of elements. Code uses this quantity to initialize a different data structure. Since `BatchedMap` is equivalent to a vector, it needs to have at least one element to not be `nullptr`. If user passes a `splits` tensor that is empty or has exactly one element, we get a `SIGABRT` si... • https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02 • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15200 – Segfault in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15200
25 Sep 2020 — In Tensorflow before version 2.3.1, the `RaggedCountSparseOutput` implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the `splits` tensor generate a valid partitioning of the `values` tensor. Thus, the code sets up conditions to cause a heap buffer overflow. A `BatchedMap` is equivalent to a vector where each element is a hashmap. However, if the first element of `splits_values` is not 0, `batch_idx` will never be 1, ... • https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02 • CWE-20: Improper Input Validation CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15190 – Segfault in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15190
25 Sep 2020 — In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `tf.raw_ops.Switch` operation takes as input a tensor and a boolean and outputs two tensors. Depending on the boolean value, one of the tensors is exactly the input tensor whereas the other one should be an empty tensor. However, the eager runtime traverses all tensors in the output. Since only one of the tensors is defined, the other one is `nullptr`, hence we are binding a reference to `nullptr`. This is undefined behavior and report... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-20: Improper Input Validation CWE-476: NULL Pointer Dereference •