CVE-2020-15191 MEDIUM

CVE-2020-15191: Undefined behavior in Tensorflow

Vendor Tensorflow

Product tensorflow

Weakness CWE-20 · Input validation

Published September 25, 2020

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes an invalid argument to `dlpack.to_dlpack` the expected validations will cause variables to bind to `nullptr` while setting a `status` variable to the error condition. However, this `status` argument is not properly checked. Hence, code following these methods will bind references to null pointers. This is undefined behavior and reported as an error if compiling with `-fsanitize=null`. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.

Key dates

02Disclosure timeline

September 25, 2020 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-15191 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

Identifiers

CVE CVE-2020-15191

CWE CWE-20

CVSS 5.3 / MEDIUM

Affected versions

Vendor Tensorflow

Product tensorflow

Affected = 2.2.0

Vendor Tensorflow

Product tensorflow

Affected = 2.3.0

CVE-2020-15191: Undefined behavior in Tensorflow

01Description

02Disclosure timeline

03References

04Related CVE