Lucene search

GitHub_MCVE-2020-15194

HistorySep 25, 2020 - 7:15 p.m.

CVE-2020-15194

2020-09-2519:15:14

CWE-617

CWE-20

GitHub_M

web.nvd.nist.gov

134

cve-2020-15194

tensorflow

security vulnerability

denial of service

patch

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

5.2

Confidence

High

EPSS

0.002

Percentile

57.2%

JSON

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the SparseFillEmptyRowsGrad implementation has incomplete validation of the shapes of its arguments. Although reverse_index_map_t and grad_values_t are accessed in a similar pattern, only reverse_index_map_t is validated to be of proper shape. Hence, malicious users can pass a bad grad_values_t to trigger an assertion failure in vec, causing denial of service in serving installations. The issue is patched in commit 390611e0d45c5793c7066110af37c8514e6a6c54, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1."

Affected configurations

Nvd

Vulners

Node

googletensorflowRange<1.15.4-

googletensorflowRange2.0.0–2.0.3-

googletensorflowRange2.1.0–2.1.2-

googletensorflowRange2.2.0–2.2.1-

googletensorflowRange2.3.0–2.3.1-

Node

opensuseleapMatch15.2

VendorProductVersionCPE
googletensorflow*cpe:2.3:a:google:tensorflow:*:*:*:*:-:*:*:*
opensuseleap15.2cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
google	tensorflow	*	cpe:2.3:a:google:tensorflow:::::-:::*
opensuse	leap	15.2	cpe:2.3:o:opensuse:leap:15.2:::::::*

CNA Affected

[
  {
    "product": "tensorflow",
    "vendor": "tensorflow",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.15.4"
      },
      {
        "status": "affected",
        "version": ">= 2.0.0, < 2.0.3"
      },
      {
        "status": "affected",
        "version": ">= 2.1.0, < 2.1.2"
      },
      {
        "status": "affected",
        "version": ">= 2.2.0, < 2.2.1"
      },
      {
        "status": "affected",
        "version": ">= 2.3.0, < 2.3.1"
      }
    ]
  }
]