| Vulnerability Name: | CVE-2020-15200 (CCN-188939) | ||||||||||||
| Assigned: | 2020-06-25 | ||||||||||||
| Published: | 2020-06-25 | ||||||||||||
| Updated: | 2021-11-18 | ||||||||||||
| Summary: | In Tensorflow before version 2.3.1, the `RaggedCountSparseOutput` implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the `splits` tensor generate a valid partitioning of the `values` tensor. Thus, the code sets up conditions to cause a heap buffer overflow. A `BatchedMap` is equivalent to a vector where each element is a hashmap. However, if the first element of `splits_values` is not 0, `batch_idx` will never be 1, hence there will be no hashmap at index 0 in `per_batch_counts`. Trying to access that in the user code results in a segmentation fault. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1. | ||||||||||||
| CVSS v3 Severity: | 5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) 5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
| ||||||||||||
| Vulnerability Type: | CWE-787 | ||||||||||||
| Vulnerability Consequences: | Denial of Service | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2020-15200 Source: XF Type: UNKNOWN tensorflow-cve202015200-dos(188939) Source: MISC Type: Patch, Third Party Advisory https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02 Source: MISC Type: Third Party Advisory https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1 Source: CCN Type: TensorFlow Lite GIT Repository Segfault due to invalid splits in RaggedCountSparseOutput Source: CONFIRM Type: Exploit, Third Party Advisory https://github.com/tensorflow/tensorflow/security/advisories/GHSA-x7rp-74x2-mjf3 Source: CCN Type: IBM Security Bulletin 6357195 (Watson Machine Learning Community Edition) Numerous CVE entires for TensorFlow in Watson Machine Learning Community Edition Source: CCN Type: IBM Security Bulletin 6364979 (Watson Discovery) IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in TensorFlow Source: CCN Type: IBM Security Bulletin 6434211 (Watson Machine Learning) Tensor Flow security vulnerabilities on IBM Watson Machine Learning on CP4D Source: CCN Type: IBM Security Bulletin 6445773 (Watson Machine Learning Server on-prem) Tensor Flow security vulnerabilities on IBM Watson Machine Learning Server Source: CCN Type: WhiteSource Vulnerability Database CVE-2020-15200 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||