| Vulnerability Name: | CVE-2020-15196 (CCN-188925) | ||||||||||||
| Assigned: | 2020-06-25 | ||||||||||||
| Published: | 2020-06-25 | ||||||||||||
| Updated: | 2021-11-18 | ||||||||||||
| Summary: | In Tensorflow version 2.3.0, the `SparseCountSparseOutput` and `RaggedCountSparseOutput` implementations don't validate that the `weights` tensor has the same shape as the data. The check exists for `DenseCountSparseOutput`, where both tensors are fully specified. In the sparse and ragged count weights are still accessed in parallel with the data. But, since there is no validation, a user passing fewer weights than the values for the tensors can generate a read from outside the bounds of the heap buffer allocated for the weights. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1. | ||||||||||||
| CVSS v3 Severity: | 9.9 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) 8.6 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
7.4 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
| ||||||||||||
| Vulnerability Type: | CWE-125 | ||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2020-15196 Source: XF Type: UNKNOWN tensorflow-cve202015196-bo(188925) Source: MISC Type: Patch, Third Party Advisory https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02 Source: MISC Type: Third Party Advisory https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1 Source: CCN Type: TensorFlow Lite GIT Repository Heap buffer overflow in weighted sparse count ops Source: CONFIRM Type: Exploit, Third Party Advisory https://github.com/tensorflow/tensorflow/security/advisories/GHSA-pg59-2f92-5cph Source: CCN Type: IBM Security Bulletin 6357195 (Watson Machine Learning Community Edition) Numerous CVE entires for TensorFlow in Watson Machine Learning Community Edition Source: CCN Type: IBM Security Bulletin 6364979 (Watson Discovery) IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in TensorFlow Source: CCN Type: IBM Security Bulletin 6434211 (Watson Machine Learning) Tensor Flow security vulnerabilities on IBM Watson Machine Learning on CP4D Source: CCN Type: IBM Security Bulletin 6445773 (Watson Machine Learning Server on-prem) Tensor Flow security vulnerabilities on IBM Watson Machine Learning Server Source: CCN Type: WhiteSource Vulnerability Database CVE-2020-15196 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||