CVE-2020-15205

25.09.2020, 19:15

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `data_splits` argument of `tf.raw_ops.StringNGrams` lacks validation. This allows a user to pass values that can cause heap overflow errors and even leak contents of memory In the linked code snippet, all the binary strings after `ee ff` are contents from the memory stack. Since these can contain return addresses, this data leak can be used to defeat ASLR. The issue is patched in commit 0462de5b544ed4731aa2fb23946ac22c01856b80, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9 CRITICAL	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
GitHub_M	CNA	9 CRITICAL	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 66%

Vendor	Product	Version
google	tensorflow	𝑥 < 1.15.4
google	tensorflow	2.0.0 ≤ 𝑥 < 2.0.3
google	tensorflow	2.1.0 ≤ 𝑥 < 2.1.2
google	tensorflow	2.2.0 ≤ 𝑥 < 2.2.1
google	tensorflow	2.3.0 ≤ 𝑥 < 2.3.1
opensuse	leap	15.2

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

References

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html

https://github.com/tensorflow/tensorflow/commit/0462de5b544ed4731aa2fb23946ac22c01856b80

https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1

https://github.com/tensorflow/tensorflow/security/advisories/GHSA-g7p5-5759-qv46

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html

https://github.com/tensorflow/tensorflow/commit/0462de5b544ed4731aa2fb23946ac22c01856b80

https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1

https://github.com/tensorflow/tensorflow/security/advisories/GHSA-g7p5-5759-qv46