CVE-2020-15210 — MEDIUM (6.5)

Q: How severe is CVE-2020-15210?

CVE-2020-15210 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-15210?

Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow, Opensuse Leap.

Vulnerability Description

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and will release patch releases for all versions between 1.15 and 2.3. We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

HIGH

Affected Products

Vendor	Product	Versions
Google	Tensorflow	< 1.15.4
Opensuse	Leap	15.2

Related Weaknesses (CWE)

CWE-20 CWE-787

References

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.htmlMailing ListThird Party Advisory
https://github.com/tensorflow/tensorflow/commit/d58c96946b2880991d63d1dacacb32f0PatchThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1Third Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-x9j7-x98r-r4w2ExploitThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.htmlMailing ListThird Party Advisory
https://github.com/tensorflow/tensorflow/commit/d58c96946b2880991d63d1dacacb32f0PatchThird Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1Third Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-x9j7-x98r-r4w2ExploitThird Party Advisory

FAQ

What is CVE-2020-15210?

CVE-2020-15210 is a vulnerability with a CVSS score of 6.5 (MEDIUM). In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can ...

How severe is CVE-2020-15210?

CVE-2020-15210 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-15210?

Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow, Opensuse Leap.