CVE-2020-15192
Memory leak in Tensorflow
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes a list of strings to `dlpack.to_dlpack` there is a memory leak following an expected validation failure. The issue occurs because the `status` argument during validation failures is not properly checked. Since each of the above methods can return an error status, the `status` value must be checked before continuing. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.
En Tensorflow versiones anteriores a 2.2.1 y 2.3.1, si un usuario pasa una lista de cadenas hacia "dlpack.to_dlpack", se presenta una pérdida de memoria después de un fallo de comprobación esperada. El problema se produce porque el argumento "status" durante los fallos de comprobación no se verifica correctamente. Dado que cada uno de los métodos anteriores puede devolver un estado de error, el valor de "status" debe comprobarse antes de continuar. El problema es parcheado en el commit 22e07fb204386768e5bcbea563641ea11f96ceb8 y es publicado en TensorFlow versiones 2.2.1 o 2.3.1
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-06-25 CVE Reserved
- 2020-09-25 CVE Published
- 2024-03-17 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8fxw-76px-3rxv | 2024-08-04 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8 | 2021-11-18 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html | 2021-11-18 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | 2.2.0 Search vendor "Google" for product "Tensorflow" and version "2.2.0" | - |
Affected
| ||||||
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | 2.3.0 Search vendor "Google" for product "Tensorflow" and version "2.3.0" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.2 Search vendor "Opensuse" for product "Leap" and version "15.2" | - |
Affected
| ||||||