CVE-2020-15190

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 1.15.4 TensorFlow versions prior to 2.0.3 TensorFlow versions prior to 2.1.2 TensorFlow versions prior to 2.2.1 TensorFlow versions prior to 2.3.1

Description The issue arises from the tf.raw ops.Switch operation, which takes a tensor and a boolean as input and outputs two tensors. Depending on the boolean value, one tensor is the input tensor, and the other should be an empty tensor. However, the eager runtime traverses all output tensors, resulting in undefined behavior when binding a reference to nullptr since only one tensor is defined. This leads to a segmentation fault. The estimated number of potentially affected devices is not specified.

Recommendations To resolve the issue, upgrade to TensorFlow version 1.15.4 or later. To resolve the issue, upgrade to TensorFlow version 2.0.3 or later. To resolve the issue, upgrade to TensorFlow version 2.1.2 or later. To resolve the issue, upgrade to TensorFlow version 2.2.1 or later. To resolve the issue, upgrade to TensorFlow version 2.3.1 or later.