← back
CVE-2020-15195

Heap buffer overflow in Tensorflow

CVSS 8.5 HIGHEPSS 0.9%CWE-119CWE-122
In short

TensorFlow's SparseFillEmptyRowsGrad function uses incorrect array indexing that allows access beyond allocated memory, potentially crashing the application or enabling arbitrary code execution.

Technical detail

CVE-2020-15195 exploits a double indexing vulnerability in SparseFillEmptyRowsGrad where reverse_index_map(i) can reference out-of-bounds memory in grad_values, causing a heap buffer overflow. An attacker with ability to provide malicious sparse tensor inputs can trigger memory corruption. The vulnerability affects TensorFlow versions prior to 1.15.4, 2.0.3, 2.1.2, 2.2.1, and 2.3.1.

Summary generated and translated by AI from the official description.
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the implementation of `SparseFillEmptyRowsGrad` uses a double indexing pattern. It is possible for `reverse_index_map(i)` to be an index outside of bounds of `grad_values`, thus resulting in a heap buffer overflow. The issue is patched in commit 390611e0d45c5793c7066110af37c8514e6a6c54, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
tensorflow · tensorflow

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.htmlhttps://github.com/tensorflow/tensorflow/commit/390611e0d45c5793c7066110af37c8514e6a6c54https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1https://github.com/tensorflow/tensorflow/security/advisories/GHSA-63xm-rx5p-xvqr