Denial of Service in Tensorflow
Description
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the SparseFillEmptyRowsGrad implementation has incomplete validation of the shapes of its arguments. Although reverse_index_map_t and grad_values_t are accessed in a similar pattern, only reverse_index_map_t is validated to be of proper shape. Hence, malicious users can pass a bad grad_values_t to trigger an assertion failure in vec, causing denial of service in serving installations. The issue is patched in commit 390611e0d45c5793c7066110af37c8514e6a6c54, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | < 1.15.4 | 1.15.4 |
tensorflowPyPI | >= 2.0.0, < 2.0.3 | 2.0.3 |
tensorflowPyPI | >= 2.1.0, < 2.1.2 | 2.1.2 |
tensorflowPyPI | >= 2.2.0, < 2.2.1 | 2.2.1 |
tensorflowPyPI | >= 2.3.0, < 2.3.1 | 2.3.1 |
tensorflow-cpuPyPI | < 1.15.4 | 1.15.4 |
tensorflow-cpuPyPI | >= 2.0.0, < 2.0.3 | 2.0.3 |
tensorflow-cpuPyPI | >= 2.1.0, < 2.1.2 | 2.1.2 |
tensorflow-cpuPyPI | >= 2.2.0, < 2.2.1 | 2.2.1 |
tensorflow-cpuPyPI | >= 2.3.0, < 2.3.1 | 2.3.1 |
tensorflow-gpuPyPI | < 1.15.4 | 1.15.4 |
tensorflow-gpuPyPI | >= 2.0.0, < 2.0.3 | 2.0.3 |
tensorflow-gpuPyPI | >= 2.1.0, < 2.1.2 | 2.1.2 |
tensorflow-gpuPyPI | >= 2.2.0, < 2.2.1 | 2.2.1 |
tensorflow-gpuPyPI | >= 2.3.0, < 2.3.1 | 2.3.1 |
Affected products
9- osv-coords8 versionspkg:bitnami/tensorflowpkg:pypi/tensorflowpkg:pypi/tensorflow-cpupkg:pypi/tensorflow-gpupkg:rpm/opensuse/tensorflow2_2_1_2-gnu-hpc&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/tensorflow2_2_1_2-gnu-openmpi2-hpc&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/tensorflow2&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/tensorflow2-lite&distro=openSUSE%20Leap%2015.2
< 1.15.4+ 7 more
- (no CPE)range: < 1.15.4
- (no CPE)range: < 1.15.4
- (no CPE)range: < 1.15.4
- (no CPE)range: < 1.15.4
- (no CPE)range: < 2.1.2-lp152.7.3.1
- (no CPE)range: < 2.1.2-lp152.7.3.1
- (no CPE)range: < 2.1.2-lp152.7.3.1
- (no CPE)range: < 2.1.2-lp152.7.3.1
- Range: < 1.15.4
Patches
Vulnerability mechanics
References
9- lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-9mqp-7v2h-2382ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15194ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2020-274.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2020-309.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2020-117.yamlghsaWEB
- github.com/tensorflow/tensorflow/commit/390611e0d45c5793c7066110af37c8514e6a6c54ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/releases/tag/v2.3.1ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/security/advisories/GHSA-9mqp-7v2h-2382ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.