In Tensorflow version 2.3.0, the `SparseCountSparseOutput` and `RaggedCountSparseOutput` implementations don't validate that the `weights` tensor has the same shape as the data. The check exists for `DenseCountSparseOutput`, where both tensors are fully specified. In the sparse and ragged count weights are still accessed in parallel with the data. But, since there is no validation, a user passing fewer weights than the values for the tensors can generate a read from outside the bounds of the heap buffer allocated for the weights. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1.
References
Link | Resource |
---|---|
https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02 | Patch Third Party Advisory |
https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1 | Third Party Advisory |
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-pg59-2f92-5cph | Exploit Third Party Advisory |
Configurations
History
18 Nov 2021, 17:21
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-122 |
CWE-125 |
17 Aug 2021, 13:21
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:google:tensorflow:2.3.0:*:*:*:-:*:*:* |
Information
Published : 2020-09-25 19:15
Updated : 2023-12-10 13:41
NVD link : CVE-2020-15196
Mitre link : CVE-2020-15196
CVE.ORG link : CVE-2020-15196
JSON object : View
Products Affected
- tensorflow