CVE-2020-15203

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Tensorflow versions prior to 1.15.4 Tensorflow versions prior to 2.0.3 Tensorflow versions prior to 2.1.2 Tensorflow versions prior to 2.2.1 Tensorflow versions prior to 2.3.1

Description A format string vulnerability exists due to the way the internal format is used in a printf call when the fill argument of tf.strings.as string is controlled by a malicious attacker. This may result in a segmentation fault. The issue is triggered by passing specific characters, such as n or s, as the fill argument.

Recommendations To resolve the issue, upgrade to TensorFlow 1.15.4 or later. To resolve the issue, upgrade to TensorFlow 2.0.3 or later. To resolve the issue, upgrade to TensorFlow 2.1.2 or later. To resolve the issue, upgrade to TensorFlow 2.2.1 or later. To resolve the issue, upgrade to TensorFlow 2.3.1 or later.

Exploit

Fix

Use of Externally-Controlled Format String

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-134CWE-20

Related Identifiers

BIT-TENSORFLOW-2020-15203

CVE-2020-15203

GHSA-XMQ7-7FXM-RR79

OPENSUSE-SU-2020:1766-1

OPENSUSE-SU-2020_1766-1

OPENSUSE-SU-2024:12116-1

PYSEC-2020-126

PYSEC-2020-283

PYSEC-2020-318

Affected Products

Suse

Tensorflow

CVE-2020-15203

Weakness Enumeration

Related Identifiers

Affected Products

References · 37