PT-2020-14281 · Google+1 · Tensorflow+1
Published
2020-09-25
·
Updated
2024-03-06
·
CVE-2020-15210
CVSS v4.0
8.3
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
TensorFlow versions prior to 1.15.4
TensorFlow versions prior to 2.0.3
TensorFlow versions prior to 2.1.2
TensorFlow versions prior to 2.2.1
TensorFlow versions prior to 2.3.1
Description
If a TFLite saved model uses the same tensor as both input and output of an operator, it can cause a segmentation fault or memory corruption, depending on the operator.
Recommendations
For versions prior to 1.15.4, upgrade to TensorFlow 1.15.4.
For versions prior to 2.0.3, upgrade to TensorFlow 2.0.3.
For versions prior to 2.1.2, upgrade to TensorFlow 2.1.2.
For versions prior to 2.2.1, upgrade to TensorFlow 2.2.1.
For versions prior to 2.3.1, upgrade to TensorFlow 2.3.1.
As a temporary workaround, consider adding a custom
Verifier to the model loading code to ensure that no operator reuses tensors as both inputs and outputs.Exploit
Fix
Memory Corruption
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Suse
Tensorflow