Vulnerability Details CVE-2020-15192
In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes a list of strings to `dlpack.to_dlpack` there is a memory leak following an expected validation failure. The issue occurs because the `status` argument during validation failures is not properly checked. Since each of the above methods can return an error status, the `status` value must be checked before continuing. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 45.4%
CVSS Severity
CVSS v3 Score 4.3
CVSS v2 Score 4.0
References
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html
- https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8
- https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8fxw-76px-3rxv
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html
- https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8
- https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8fxw-76px-3rxv
Products affected by CVE-2020-15192
-
cpe:2.3:a:google:tensorflow:2.2.0
-
cpe:2.3:a:google:tensorflow:2.3.0
-
cpe:2.3:o:opensuse:leap:15.2