PT-2019-11098 · Google · Tensorflow

Published

2019-04-24

Updated

2019-04-30

CVE-2018-7575

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Google TensorFlow versions 1.7.x and earlier

Description: The issue is related to a Buffer Overflow, where the type of exploitation is context-dependent. Specifically, the block size in a meta file might contain a large int64 value, causing an integer overflow upon addition. This can lead to subsequent code using the value as an index, resulting in an out-of-bounds read. A maliciously crafted meta checkpoint could be used to cause the TensorFlow process to perform an out-of-bounds read on in-process memory.

Recommendations: For Google TensorFlow versions 1.7.x and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190

Related Identifiers

CVE-2018-7575

GHSA-MW6V-CRH8-8533

PYSEC-2019-205

PYSEC-2019-223

PYSEC-2019-230

Affected Products

Tensorflow

PT-2019-11098 · Google · Tensorflow

CVE-2018-7575

Weakness Enumeration

Related Identifiers

Affected Products

References · 13