PT-2020-8877 · Google · Tensorflow

David G. Andersen

Published

2020-05-04

Updated

2020-05-13

CVE-2018-21233

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 1.7.0

Description The issue is caused by an integer overflow that leads to an out-of-bounds read, potentially disclosing the contents of process memory. This occurs in the DecodeBmp feature of the BMP decoder in core/kernels/decode bmp op.cc.

Recommendations For versions prior to 1.7.0, update to version 1.7.0 or later to resolve the issue. As a temporary workaround, consider disabling the DecodeBmp feature of the BMP decoder until a patch is available. Restrict access to the BMP decoder module to minimize the risk of exploitation.

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

CVE-2018-21233

GHSA-H98H-8MXR-M8GX

PYSEC-2020-253

PYSEC-2020-269

PYSEC-2020-304

Affected Products

Tensorflow

PT-2020-8877 · Google · Tensorflow

CVE-2018-21233

Weakness Enumeration

Related Identifiers

Affected Products

References · 15