5.3

CVE-2020-26266

Exploit

Uninitialized memory access in Eigen types in TensorFlow

In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GoogleTensorflow Version < 1.15.5
GoogleTensorflow Version >= 2.0.0 < 2.0.4
GoogleTensorflow Version >= 2.1.0 < 2.1.3
GoogleTensorflow Version >= 2.2.0 < 2.2.2
GoogleTensorflow Version >= 2.3.0 < 2.3.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.24% 0.152
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 1.8 3.4
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvd@nist.gov 4.6 3.9 6.4
AV:L/AC:L/Au:N/C:P/I:P/A:P
security-advisories@github.com 4.4 1.8 2.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CWE-908 Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized.

https://github.com/tensorflow/tensorflow/commit/ace0c15a22f7f054abcc1f53eabbcb0a1239a9e2
Patch
Third Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qhxx-j73r-qpm2
Patch
Third Party Advisory
Exploit