CVE-2020-15197

Name of the Vulnerable Software and Affected Versions Tensorflow versions prior to 2.3.1

Description The SparseCountSparseOutput implementation does not validate that the input arguments form a valid sparse tensor, specifically that the indices tensor has rank 2, which must be a matrix. Malicious users can pass in tensors of different rank, resulting in a CHECK assertion failure and a crash, potentially causing denial of service in serving installations if users are allowed to control the components of the input sparse tensor.

Recommendations For versions prior to 2.3.1, upgrade to TensorFlow 2.3.1 to resolve the issue. As a temporary workaround, consider restricting access to the SparseCountSparseOutput implementation to minimize the risk of exploitation. Avoid allowing users to control the components of the input sparse tensor until the issue is resolved.