CVE-2020-15201 : In Tensorflow before version 2.3.1, the `RaggedCountSparseOutput` implementation

In Tensorflow before version 2.3.1, the `RaggedCountSparseOutput` implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the `splits` tensor generate a valid partitioning of the `values` tensor. Hence, the code is prone to heap buffer overflow. If `split_values` does not end with a value at least `num_values` then the `while` loop condition will trigger a read outside of the bounds of `split_values` once `batch_idx` grows too large. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1.

Published 2020-09-25 19:15:15

Updated 2021-11-18 17:24:50

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: OverflowMemory CorruptionInput validation

Products affected by CVE-2020-15201

Google » Tensorflow » Version: 2.3.0
cpe:2.3:a:google:tensorflow:2.3.0:*:*:*:-:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-15201

EPSS FAQ

0.20%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 39 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-15201

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
4.8	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N	2.2	2.5	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None
4.8	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N	2.2	2.5	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2020-15201

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: security-advisories@github.com (Secondary)
CWE-122 Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Assigned by: security-advisories@github.com (Secondary)
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-15201

https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02

Fix multiple vulnerabilities in `tf.raw_ops.*CountSparseOutput`. · tensorflow/tensorflow@3cbb917 · GitHub
Patch;Third Party Advisory

CVEs referencing this url
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-p5f8-gfw5-33w4

Heap buffer overflow due to invalid splits in RaggedCountSparseOutput · Advisory · tensorflow/tensorflow · GitHub
Exploit;Third Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1

Release TensorFlow 2.3.1 · tensorflow/tensorflow · GitHub
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-15201

Products affected by CVE-2020-15201

Exploit prediction scoring system (EPSS) score for CVE-2020-15201

CVSS scores for CVE-2020-15201

CWE ids for CVE-2020-15201

References for CVE-2020-15201