Numeric Truncation Error Affecting tensorflow-cpu package, versions [,1.15.4) [2.0.0, 2.0.3) [2.1.0, 2.1.2) [2.2.0, 2.2.1) [2.3.0, 2.3.1)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-TENSORFLOWCPU-1013546
- published 28 Sep 2020
- disclosed 28 Sep 2020
- credit Aivul Team from Qihoo 360
Introduced: 28 Sep 2020
CVE-2020-15202 Open this link in a new tabHow to fix?
Upgrade tensorflow-cpu
to version 1.15.4, 2.0.3, 2.1.2, 2.2.1, 2.3.1 or higher.
Overview
tensorflow-cpu is a machine learning framework.
Affected versions of this package are vulnerable to Numeric Truncation Error. The Shard
API in TensorFlow expects the last argument to be a function taking two int64
(i.e., long long
) arguments. However, there are several places in TensorFlow where a lambda taking int
or int32
arguments is being used.In these cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on how the two arguments of the lambda are used, this can result in segfaults, read/write outside of heap allocated arrays, stack overflows, or data corruption.