CVE-2020-15208
Data corruption in tensorflow-lite
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can craft cases where this is larger than that of the second tensor. In turn, this would result in reads/writes outside of bounds since the interpreter will wrongly assume that there is enough data in both tensors. The issue is patched in commit 8ee24e7949a203d234489f9da2c5bf45a7d5157d, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
En tensorflow-lite versiones anteriores a 1.15.4, 2.0.3, 2.1.2, 2.2.1 y 2.3.1, al determinar el tamaño de dimensión común de dos tensores, TFLite usa un "DCHECK" que no es operativo fuera de los modos de compilación de depuración. Dado que la función siempre devuelve la dimensión del primer tensor, los atacantes maliciosos pueden crear casos en los que este sea mayor que el del segundo tensor. A su vez, esto resultaría en lecturas y escrituras fuera de límites, ya que el intérprete asumirá incorrectamente que existen suficientes datos en ambos tensores. El problema es parcheado en el commit 8ee24e7949a203d234489f9da2c5bf45a7d5157d, y es publicado en TensorFlow versiones 1.15.4, 2.0.3, 2.1.2, 2.2.1 o 2.3.1
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-06-25 CVE Reserved
- 2020-09-25 CVE Published
- 2023-06-11 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-125: Out-of-bounds Read
- CWE-787: Out-of-bounds Write
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mxjj-953w-2c2v | 2024-08-04 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/tensorflow/tensorflow/commit/8ee24e7949a203d234489f9da2c5bf45a7d5157d | 2021-09-16 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html | 2021-09-16 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | < 1.15.4 Search vendor "Google" for product "Tensorflow" and version " < 1.15.4" | lite |
Affected
| ||||||
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | >= 2.0.0 < 2.0.3 Search vendor "Google" for product "Tensorflow" and version " >= 2.0.0 < 2.0.3" | lite |
Affected
| ||||||
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | >= 2.1.0 < 2.1.2 Search vendor "Google" for product "Tensorflow" and version " >= 2.1.0 < 2.1.2" | lite |
Affected
| ||||||
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | >= 2.2.0 < 2.2.1 Search vendor "Google" for product "Tensorflow" and version " >= 2.2.0 < 2.2.1" | lite |
Affected
| ||||||
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | >= 2.3.0 < 2.3.1 Search vendor "Google" for product "Tensorflow" and version " >= 2.3.0 < 2.3.1" | lite |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.2 Search vendor "Opensuse" for product "Leap" and version "15.2" | - |
Affected
| ||||||