CVE-2020-15207
Segfault and data corruption in tensorflow-lite
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mimic Python's indexing with negative values, TFLite uses `ResolveAxis` to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the `DCHECK` does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption. The issue is patched in commit 2d88f470dea2671b430884260f3626b1fe99830a, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
En tensorflow-lite versiones anteriores a 1.15.4, 2.0.3, 2.1.2, 2.2.1 y 2.3.1, para imitar la indexación de Python con valores negativos, TFLite usa "ResolveAxis" para convertir valores negativos en índices positivos. Sin embargo, la única comprobación de que el índice convertido ahora es válido solo está presente en las compilaciones de depuración. Si el "DCHECK" no se activa, entonces la ejecución de código avanza con un índice negativo. Esto, a su vez, resulta en el acceso a los datos fuera de límites, resultando en segmentaciones y/o una corrupción de lo datos. El problema es parcheado en el commit 2d88f470dea2671b430884260f3626b1fe99830a, y es publicado en TensorFlow versiones 1.15.4, 2.0.3, 2.1.2, 2.2.1 o 2.3.1
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-06-25 CVE Reserved
- 2020-09-25 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-09-18 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-787: Out-of-bounds Write
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q4qf-3fc6-8x34 | 2024-08-04 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/tensorflow/tensorflow/commit/2d88f470dea2671b430884260f3626b1fe99830a | 2021-11-18 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html | 2021-11-18 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | < 1.15.4 Search vendor "Google" for product "Tensorflow" and version " < 1.15.4" | lite |
Affected
| ||||||
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | >= 2.0.0 < 2.0.3 Search vendor "Google" for product "Tensorflow" and version " >= 2.0.0 < 2.0.3" | lite |
Affected
| ||||||
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | >= 2.1.0 < 2.1.2 Search vendor "Google" for product "Tensorflow" and version " >= 2.1.0 < 2.1.2" | lite |
Affected
| ||||||
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | >= 2.2.0 < 2.2.1 Search vendor "Google" for product "Tensorflow" and version " >= 2.2.0 < 2.2.1" | lite |
Affected
| ||||||
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | >= 2.3.0 < 2.3.1 Search vendor "Google" for product "Tensorflow" and version " >= 2.3.0 < 2.3.1" | lite |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.2 Search vendor "Opensuse" for product "Leap" and version "15.2" | - |
Affected
| ||||||