7.8

CVE-2020-26267

Exploit

Lack of validation in data format attributes in TensorFlow

In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GoogleTensorflow Version < 1.15.5
GoogleTensorflow Version >= 2.0.0 < 2.0.4
GoogleTensorflow Version >= 2.1.0 < 2.1.3
GoogleTensorflow Version >= 2.2.0 < 2.2.2
GoogleTensorflow Version >= 2.3.0 < 2.3.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.24% 0.149
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 4.3 3.1 6.4
AV:L/AC:L/Au:S/C:P/I:P/A:P
security-advisories@github.com 4.4 1.8 2.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://github.com/tensorflow/tensorflow/commit/ebc70b7a592420d3d2f359e4b1694c236b82c7ae
Patch
Third Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c9f3-9wfr-wgh7
Patch
Third Party Advisory
Exploit