Out-of-Bounds Affecting tensorflow package, versions [,1.15.4) [2.0.0, 2.0.3) [2.1.0, 2.1.2) [2.2.0, 2.2.1) [2.3.0, 2.3.1)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-TENSORFLOW-1013583
- published 29 Sep 2020
- disclosed 28 Sep 2020
- credit Aivul Team from Qihoo 36
Introduced: 28 Sep 2020
CVE-2020-15211 Open this link in a new tabHow to fix?
Upgrade tensorflow to version 1.15.4, 2.0.3, 2.1.2, 2.2.1, 2.3.1 or higher.
Overview
tensorflow is a machine learning framework.
Affected versions of this package are vulnerable to Out-of-Bounds. During validation at model loading time. the -1 index is a valid tensor index for any operator, including those that don't expect optional inputs and including for output tensors. This allows writing and reading from outside the bounds of heap allocated arrays, although only at a specific offset from the start of these arrays. This results in both read and write gadgets, albeit very limited in scope.