CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15201 – Heap buffer overflow in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15201
In Tensorflow before version 2.3.1, the `RaggedCountSparseOutput` implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the `splits` tensor generate a valid partitioning of the `values` tensor. Hence, the code is prone to heap buffer overflow. If `split_values` does not end with a value at least `num_values` then the `while` loop condition will trigger a read outside of the bounds of `split_values` once `batch_idx` grows too large. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1. • https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02 https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-p5f8-gfw5-33w4 • CWE-20: Improper Input Validation CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15202 – Integer truncation in Shard API usage
https://notcve.org/view.php?id=CVE-2020-15202
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `Shard` API in TensorFlow expects the last argument to be a function taking two `int64` (i.e., `long long`) arguments. However, there are several places in TensorFlow where a lambda taking `int` or `int32` arguments is being used. In these cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on how the two arguments of the lambda are used, this can result in segfaults, read/write outside of heap allocated arrays, stack overflows, or data corruption. The issue is patched in commits 27b417360cbd671ef55915e4bb6bb06af8b8a832 and ca8c013b5e97b1373b3bb1c97ea655e69f31a575, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html https://github.com/tensorflow/tensorflow/commit/27b417360cbd671ef55915e4bb6bb06af8b8a832 https://github.com/tensorflow/tensorflow/commit/ca8c013b5e97b1373b3bb1c97ea655e69f31a575 https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6fg-mjxg-hqq4 • CWE-197: Numeric Truncation Error CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15203 – Denial of Service in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15203
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the `fill` argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a `printf` call is constructed. This may result in segmentation fault. The issue is patched in commit 33be22c65d86256e6826666662e40dbdfe70ee83, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. En Tensorflow versiones anteriores a 1.15.4, 2.0.3, 2.1.2, 2.2.1 y 2.3.1, al controlar el argumento "fill" de tf.strings.as_string, un atacante malicioso puede desencadenar una vulnerabilidad de cadena de formato debido a la manera en que se construye el uso del formato interno en una llamada de "printf". Esto puede resultar en un fallo de segmentación. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html https://github.com/tensorflow/tensorflow/commit/33be22c65d86256e6826666662e40dbdfe70ee83 https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xmq7-7fxm-rr79 • CWE-20: Improper Input Validation CWE-134: Use of Externally-Controlled Format String •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15204 – Segfault in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15204
In eager mode, TensorFlow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 does not set the session state. Hence, calling `tf.raw_ops.GetSessionHandle` or `tf.raw_ops.GetSessionHandleV2` results in a null pointer dereference In linked snippet, in eager mode, `ctx->session_state()` returns `nullptr`. Since code immediately dereferences this, we get a segmentation fault. The issue is patched in commit 9a133d73ae4b4664d22bd1aa6d654fec13c52ee1, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. En modo eager, TensorFlow versiones anteriores a 1.15.4, 2.0.3, 2.1.2, 2.2.1 y 2.3.1 no establece el estado de la sesión. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html https://github.com/tensorflow/tensorflow/commit/9a133d73ae4b4664d22bd1aa6d654fec13c52ee1 https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q8gv-q7wr-9jf8 • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 1CVE-2020-15205 – Data leak in Tensorflow
https://notcve.org/view.php?id=CVE-2020-15205
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `data_splits` argument of `tf.raw_ops.StringNGrams` lacks validation. This allows a user to pass values that can cause heap overflow errors and even leak contents of memory In the linked code snippet, all the binary strings after `ee ff` are contents from the memory stack. Since these can contain return addresses, this data leak can be used to defeat ASLR. The issue is patched in commit 0462de5b544ed4731aa2fb23946ac22c01856b80, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. En Tensorflow versiones anteriores a 1.15.4, 2.0.3, 2.1.2, 2.2.1 y 2.3.1, el argumento "data_splits" de "tf.raw_ops.StringNGrams" carece de comprobación. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html https://github.com/tensorflow/tensorflow/commit/0462de5b544ed4731aa2fb23946ac22c01856b80 https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-g7p5-5759-qv46 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •