7.5
CVE-2020-15203
- EPSS 0.36%
- Published 25.09.2020 19:15:15
- Last modified 21.11.2024 05:05:04
- Source security-advisories@github.com
- Teams watchlist Login
- Open Login
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the `fill` argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a `printf` call is constructed. This may result in segmentation fault. The issue is patched in commit 33be22c65d86256e6826666662e40dbdfe70ee83, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
Data is provided by the National Vulnerability Database (NVD)
Google ≫ Tensorflow SwEdition- Version < 1.15.4
Google ≫ Tensorflow SwEdition- Version >= 2.0.0 < 2.0.3
Google ≫ Tensorflow SwEdition- Version >= 2.1.0 < 2.1.2
Google ≫ Tensorflow SwEdition- Version >= 2.2.0 < 2.2.1
Google ≫ Tensorflow SwEdition- Version >= 2.3.0 < 2.3.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.36% | 0.552 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:N/A:P
|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-134 Use of Externally-Controlled Format String
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.