7.5
CVE-2020-15203
- EPSS 0.36%
- Veröffentlicht 25.09.2020 19:15:15
- Zuletzt bearbeitet 21.11.2024 05:05:04
- Quelle security-advisories@github.com
- Teams Watchlist Login
- Unerledigt Login
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the `fill` argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a `printf` call is constructed. This may result in segmentation fault. The issue is patched in commit 33be22c65d86256e6826666662e40dbdfe70ee83, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Google ≫ Tensorflow SwEdition- Version < 1.15.4
Google ≫ Tensorflow SwEdition- Version >= 2.0.0 < 2.0.3
Google ≫ Tensorflow SwEdition- Version >= 2.1.0 < 2.1.2
Google ≫ Tensorflow SwEdition- Version >= 2.2.0 < 2.2.1
Google ≫ Tensorflow SwEdition- Version >= 2.3.0 < 2.3.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.36% | 0.552 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:N/A:P
|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-134 Use of Externally-Controlled Format String
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.