CVE-2020-15210

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and will release patch releases for all versions between 1.15 and 2.3. We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
GitHub_MCNA
6.5 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
Affected Products (NVD)
VendorProductVersion
googletensorflow
𝑥
< 1.15.4
googletensorflow
2.0.0 ≤
𝑥
< 2.0.3
googletensorflow
2.1.0 ≤
𝑥
< 2.1.2
googletensorflow
2.2.0 ≤
𝑥
< 2.2.1
googletensorflow
2.3.0 ≤
𝑥
< 2.3.1
opensuseleap
15.2
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
tensorflowtensorflow
𝑥
< 1.15.4
CNA
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html
https://github.com/tensorflow/tensorflow/commit/d58c96946b2880991d63d1dacacb32f0a4dfa453
https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-x9j7-x98r-r4w2
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html
https://github.com/tensorflow/tensorflow/commit/d58c96946b2880991d63d1dacacb32f0a4dfa453
https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-x9j7-x98r-r4w2