PyPi: Tensorflow

CVE-2020-15193

Safety vulnerability ID: 38823

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Sep 25, 2020 Updated at Jun 18, 2024

Scan your Python projects for vulnerabilities →

Advisory

Tensorflow versions 2.2.1 and 2.3.1 include a fix for CVE-2020-15193: In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of "dlpack.to_dlpack" can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a "reinterpret_cast". Since the "PyObject" is a Python object, not a Tensorflow tensor, the cast to "EagerTensor" fails. The issue was patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v

Affected package

tensorflow

Latest version: 2.16.1

TensorFlow is an open source machine learning framework for everyone.

Affected versions

Fixed versions

Vulnerability changelog

In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.

CONFIRM:https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v
MISC:https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8: https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8
MISC:https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1: https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.1

CVSS v3 Details

HIGH 7.1

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): HIGH
Availability Availability (A): LOW

CVSS v2 Details

MEDIUM 5.5

Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (Au): SINGLE
Confidentiality Impact (C): NONE
Integrity Impact (I): PARTIAL
Availability Impact (A): PARTIAL