Home > Vulnerability Database > CVE-2020-15202

Mend.io Vulnerability Database

CVE-2020-15202

Good to know:

Date: September 25, 2020

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `Shard` API in TensorFlow expects the last argument to be a function taking two `int64` (i.e., `long long`) arguments. However, there are several places in TensorFlow where a lambda taking `int` or `int32` arguments is being used. In these cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on how the two arguments of the lambda are used, this can result in segfaults, read/write outside of heap allocated arrays, stack overflows, or data corruption. The issue is patched in commits 27b417360cbd671ef55915e4bb6bb06af8b8a832 and ca8c013b5e97b1373b3bb1c97ea655e69f31a575, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

Language: C++

Severity Score

9.0

Related Resources (11)

Url: https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2020-125.yaml

Url: https://github.com/tensorflow/tensorflow/commit/ca8c013b5e97b1373b3bb1c97ea655e69f31a575

Url: https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1

Url: https://github.com/tensorflow/tensorflow/commit/27b417360cbd671ef55915e4bb6bb06af8b8a832

Url: http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html

Url: https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2020-282.yaml

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-15202

Url: https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2020-317.yaml

Url: https://github.com/tensorflow/tensorflow

Url: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6fg-mjxg-hqq4

Url: https://www.mend.io/vulnerability-database/CVE-2020-15202

Severity Score

9.0

Weakness Type (CWE)

Improper Check for Unusual or Exceptional Conditions

CWE-754

Numeric Truncation Error

CWE-197

Top Fix

Upgrade Version

Upgrade to version 1.15.4, 2.0.3, 2.1.2, 2.2.1, 2.3.1

Learn More

CVSS v3.1

Base Score:	9.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-15202

Good to know:

Date: September 25, 2020

Language: C++

Severity Score

Related Resources (11)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?