CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2020-26269 – Heap out of bounds read in filesystem glob matching in TensorFlow
https://notcve.org/view.php?id=CVE-2020-26269
10 Dec 2020 — In TensorFlow release candidate versions 2.4.0rc*, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel implementation of GetMatchingPaths but are not verified by the PRs introducing it (#40861 and #44310). Thus, we are completely rewriting the implementation to fully specify and validate these. This is patched in version 2.4.... • https://github.com/tensorflow/tensorflow/commit/8b5b9dc96666a3a5d27fad7179ff215e3b74b67c • CWE-125: Out-of-bounds Read •
CVSS: 4.4EPSS: 0%CPEs: 5EXPL: 0CVE-2020-26270 – CHECK-fail in LSTM with zero-length input in TensorFlow
https://notcve.org/view.php?id=CVE-2020-26270
10 Dec 2020 — In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0. En las versiones afectadas de TensorFlow que ejecutan un modelo LSTM/GRU donde la capa LSTM/GRU recibe una entrada con longitud cero, se produc... • https://github.com/tensorflow/tensorflow/commit/14755416e364f17fb1870882fa778c7fec7f16e3 • CWE-20: Improper Input Validation •
CVSS: 4.4EPSS: 0%CPEs: 5EXPL: 1CVE-2020-26271 – Heap out of bounds access in MakeEdge in TensorFlow
https://notcve.org/view.php?id=CVE-2020-26271
10 Dec 2020 — In affected versions of TensorFlow under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values and comparing these for equality. However, t... • https://github.com/tensorflow/tensorflow/commit/0cc38aaa4064fd9e79101994ce9872c6d91f816b • CWE-125: Out-of-bounds Read CWE-908: Use of Uninitialized Resource •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15266 – Undefined behavior in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15266
21 Oct 2020 — In Tensorflow before version 2.4.0, when the `boxes` argument of `tf.image.crop_and_resize` has a very large value, the CPU kernel implementation receives it as a C++ `nan` floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved. En Tensorflow ve... • https://github.com/tensorflow/tensorflow/issues/42129 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15265 – Segfault in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15265
21 Oct 2020 — In Tensorflow before version 2.4.0, an attacker can pass an invalid `axis` value to `tf.quantization.quantize_and_dequantize`. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However, dim_size only does a DCHECK to validate the argument and then uses it to access the corresponding element of an array. Since in normal builds, `DCHECK`-like macros are no-ops, this results in segfault and access out of bounds of the array. The issue is patched in ecc... • https://github.com/tensorflow/tensorflow/commit/eccb7ec454e6617738554a255d77f08e60ee0808 • CWE-125: Out-of-bounds Read •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 1CVE-2020-15212 – Out of bounds access in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15212
25 Sep 2020 — In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `output_data` buffer. This might result in a segmentation fault but it can also be used to further corrupt the memory and can be chained with other vulnerabilities to create more advanced exploits. The issue is patched... • https://github.com/tensorflow/tensorflow/commit/204945b19e44b57906c9344c0d00120eeeae178a • CWE-787: Out-of-bounds Write •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2020-15213 – Denial of service in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15213
25 Sep 2020 — In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger a denial of service by causing an out of memory allocation in the implementation of segment sum. Since code uses the last element of the tensor holding them to determine the dimensionality of output tensor, attackers can use a very large value to trigger a large allocation. The issue is patched in commit 204945b19e44b57906c9344c0d00120eeeae178a and is released in TensorFlow versions 2.2.1, or 2.3.1. A potential workarou... • https://github.com/tensorflow/tensorflow/commit/204945b19e44b57906c9344c0d00120eeeae178a • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1CVE-2020-15214 – Out of bounds write in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15214
25 Sep 2020 — In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger a write out bounds / segmentation fault if the segment ids are not sorted. Code assumes that the segment ids are in increasing order, using the last element of the tensor holding them to determine the dimensionality of output tensor. This results in allocating insufficient memory for the output tensor and in a write outside the bounds of the output array. This usually results in a segmentation fault, but depending on ru... • https://github.com/tensorflow/tensorflow/commit/204945b19e44b57906c9344c0d00120eeeae178a • CWE-787: Out-of-bounds Write •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15201 – Heap buffer overflow in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15201
25 Sep 2020 — In Tensorflow before version 2.3.1, the `RaggedCountSparseOutput` implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the `splits` tensor generate a valid partitioning of the `values` tensor. Hence, the code is prone to heap buffer overflow. If `split_values` does not end with a value at least `num_values` then the `while` loop condition will trigger a read outside of the bounds of `split_values` once `batch_idx` grow... • https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02 • CWE-20: Improper Input Validation CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15202 – Integer truncation in Shard API usage
https://notcve.org/view.php?id=CVE-2020-15202
25 Sep 2020 — In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `Shard` API in TensorFlow expects the last argument to be a function taking two `int64` (i.e., `long long`) arguments. However, there are several places in TensorFlow where a lambda taking `int` or `int32` arguments is being used. In these cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on how the two arguments of the lambda are used, this can result in segfaults, read/write outside... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-197: Numeric Truncation Error CWE-754: Improper Check for Unusual or Exceptional Conditions •