CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 1CVE-2020-26267 – Lack of validation in data format attributes in TensorFlow
https://notcve.org/view.php?id=CVE-2020-26267
10 Dec 2020 — In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0. En las versiones afectadas de TensorFlow, la API tf.raw_ops.DataFormatVecPermute no comprueba los atributos src_format y dst_format. • https://github.com/tensorflow/tensorflow/commit/ebc70b7a592420d3d2f359e4b1694c236b82c7ae • CWE-125: Out-of-bounds Read •
CVSS: 4.4EPSS: 0%CPEs: 5EXPL: 1CVE-2020-26268 – Write to immutable memory region in TensorFlow
https://notcve.org/view.php?id=CVE-2020-26268
10 Dec 2020 — In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is needed for the tensor it creates. However, as soon as there are enough bytes, the above snip... • https://github.com/tensorflow/tensorflow/commit/c1e1fc899ad5f8c725dcbb6470069890b5060bc7 • CWE-471: Modification of Assumed-Immutable Data (MAID) •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2020-26269 – Heap out of bounds read in filesystem glob matching in TensorFlow
https://notcve.org/view.php?id=CVE-2020-26269
10 Dec 2020 — In TensorFlow release candidate versions 2.4.0rc*, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel implementation of GetMatchingPaths but are not verified by the PRs introducing it (#40861 and #44310). Thus, we are completely rewriting the implementation to fully specify and validate these. This is patched in version 2.4.... • https://github.com/tensorflow/tensorflow/commit/8b5b9dc96666a3a5d27fad7179ff215e3b74b67c • CWE-125: Out-of-bounds Read •
CVSS: 4.4EPSS: 0%CPEs: 5EXPL: 0CVE-2020-26270 – CHECK-fail in LSTM with zero-length input in TensorFlow
https://notcve.org/view.php?id=CVE-2020-26270
10 Dec 2020 — In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0. En las versiones afectadas de TensorFlow que ejecutan un modelo LSTM/GRU donde la capa LSTM/GRU recibe una entrada con longitud cero, se produc... • https://github.com/tensorflow/tensorflow/commit/14755416e364f17fb1870882fa778c7fec7f16e3 • CWE-20: Improper Input Validation •
CVSS: 4.4EPSS: 0%CPEs: 5EXPL: 1CVE-2020-26271 – Heap out of bounds access in MakeEdge in TensorFlow
https://notcve.org/view.php?id=CVE-2020-26271
10 Dec 2020 — In affected versions of TensorFlow under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values and comparing these for equality. However, t... • https://github.com/tensorflow/tensorflow/commit/0cc38aaa4064fd9e79101994ce9872c6d91f816b • CWE-125: Out-of-bounds Read CWE-908: Use of Uninitialized Resource •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15266 – Undefined behavior in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15266
21 Oct 2020 — In Tensorflow before version 2.4.0, when the `boxes` argument of `tf.image.crop_and_resize` has a very large value, the CPU kernel implementation receives it as a C++ `nan` floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved. En Tensorflow ve... • https://github.com/tensorflow/tensorflow/issues/42129 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15265 – Segfault in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15265
21 Oct 2020 — In Tensorflow before version 2.4.0, an attacker can pass an invalid `axis` value to `tf.quantization.quantize_and_dequantize`. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However, dim_size only does a DCHECK to validate the argument and then uses it to access the corresponding element of an array. Since in normal builds, `DCHECK`-like macros are no-ops, this results in segfault and access out of bounds of the array. The issue is patched in ecc... • https://github.com/tensorflow/tensorflow/commit/eccb7ec454e6617738554a255d77f08e60ee0808 • CWE-125: Out-of-bounds Read •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 1CVE-2020-15212 – Out of bounds access in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15212
25 Sep 2020 — In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `output_data` buffer. This might result in a segmentation fault but it can also be used to further corrupt the memory and can be chained with other vulnerabilities to create more advanced exploits. The issue is patched... • https://github.com/tensorflow/tensorflow/commit/204945b19e44b57906c9344c0d00120eeeae178a • CWE-787: Out-of-bounds Write •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2020-15213 – Denial of service in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15213
25 Sep 2020 — In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger a denial of service by causing an out of memory allocation in the implementation of segment sum. Since code uses the last element of the tensor holding them to determine the dimensionality of output tensor, attackers can use a very large value to trigger a large allocation. The issue is patched in commit 204945b19e44b57906c9344c0d00120eeeae178a and is released in TensorFlow versions 2.2.1, or 2.3.1. A potential workarou... • https://github.com/tensorflow/tensorflow/commit/204945b19e44b57906c9344c0d00120eeeae178a • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1CVE-2020-15214 – Out of bounds write in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15214
25 Sep 2020 — In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger a write out bounds / segmentation fault if the segment ids are not sorted. Code assumes that the segment ids are in increasing order, using the last element of the tensor holding them to determine the dimensionality of output tensor. This results in allocating insufficient memory for the output tensor and in a write outside the bounds of the output array. This usually results in a segmentation fault, but depending on ru... • https://github.com/tensorflow/tensorflow/commit/204945b19e44b57906c9344c0d00120eeeae178a • CWE-787: Out-of-bounds Write •