CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15204 – Segfault in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15204
25 Sep 2020 — In eager mode, TensorFlow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 does not set the session state. Hence, calling `tf.raw_ops.GetSessionHandle` or `tf.raw_ops.GetSessionHandleV2` results in a null pointer dereference In linked snippet, in eager mode, `ctx->session_state()` returns `nullptr`. Since code immediately dereferences this, we get a segmentation fault. The issue is patched in commit 9a133d73ae4b4664d22bd1aa6d654fec13c52ee1, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15205 – Data leak in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15205
25 Sep 2020 — In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `data_splits` argument of `tf.raw_ops.StringNGrams` lacks validation. This allows a user to pass values that can cause heap overflow errors and even leak contents of memory In the linked code snippet, all the binary strings after `ee ff` are contents from the memory stack. Since these can contain return addresses, this data leak can be used to defeat ASLR. The issue is patched in commit 0462de5b544ed4731aa2fb23946ac22c01856b80, and is ... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15206 – Denial of Service in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15206
25 Sep 2020 — In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, changing the TensorFlow's `SavedModel` protocol buffer and altering the name of required keys results in segfaults and data corruption while loading the model. This can cause a denial of service in products using `tensorflow-serving` or other inference-as-a-service installments. Fixed were added in commits f760f88b4267d981e13f4b302c437ae800445968 and fcfef195637c6e365577829c4d67681695956e7d (both going into TensorFlow 2.2.0 and 2.3.0 but n... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 1%CPEs: 6EXPL: 1CVE-2020-15207 – Segfault and data corruption in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15207
25 Sep 2020 — In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mimic Python's indexing with negative values, TFLite uses `ResolveAxis` to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the `DCHECK` does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption. The issue is patched in c... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15208 – Data corruption in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15208
25 Sep 2020 — In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can craft cases where this is larger than that of the second tensor. In turn, this would result in reads/writes outside of bounds since the interpreter will wrongly assume that there is enough data in both tensors. T... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 5.9EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15209 – Null pointer dereference in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15209
25 Sep 2020 — In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one. The runtime assumes that these buffers are written to before a possible read, hence they are initialized with `nullptr`. However, by changing the buffer index for a tensor and implicitly converting that tensor t... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-476: NULL Pointer Dereference •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15210 – Segmentation fault in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15210
25 Sep 2020 — In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and will release patch releases for all versions between 1.15 and 2.3. We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. En tensorflow-lite versiones anteriores a 1.15.4, 2.0.3, 2.1.2... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-20: Improper Input Validation CWE-787: Out-of-bounds Write •
CVSS: 5.8EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15211 – Out of bounds access in tensorflow-lite
https://notcve.org/view.php?id=CVE-2020-15211
25 Sep 2020 — In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices for the tensors, indexing into an array of tensors that is owned by the subgraph. This results in a pattern of double array indexing when trying to get the data of each tensor. However, some operators can have som... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2020-15191 – Undefined behavior in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15191
25 Sep 2020 — In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes an invalid argument to `dlpack.to_dlpack` the expected validations will cause variables to bind to `nullptr` while setting a `status` variable to the error condition. However, this `status` argument is not properly checked. Hence, code following these methods will bind references to null pointers. This is undefined behavior and reported as an error if compiling with `-fsanitize=null`. The issue is patched in commit 22e07fb204386768e5bcbea563641... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-20: Improper Input Validation CWE-252: Unchecked Return Value CWE-476: NULL Pointer Dereference •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2020-15192 – Memory leak in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15192
25 Sep 2020 — In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes a list of strings to `dlpack.to_dlpack` there is a memory leak following an expected validation failure. The issue occurs because the `status` argument during validation failures is not properly checked. Since each of the above methods can return an error status, the `status` value must be checked before continuing. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1. En... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html • CWE-20: Improper Input Validation •