CVE-2020-15204
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
25/09/2020
Last modified:
16/09/2021
Description
In eager mode, TensorFlow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 does not set the session state. Hence, calling `tf.raw_ops.GetSessionHandle` or `tf.raw_ops.GetSessionHandleV2` results in a null pointer dereference In linked snippet, in eager mode, `ctx->session_state()` returns `nullptr`. Since code immediately dereferences this, we get a segmentation fault. The issue is patched in commit 9a133d73ae4b4664d22bd1aa6d654fec13c52ee1, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:google:tensorflow:*:*:*:*:-:*:*:* | 1.15.4 (excluding) | |
| cpe:2.3:a:google:tensorflow:*:*:*:*:-:*:*:* | 2.0.0 (including) | 2.0.3 (excluding) |
| cpe:2.3:a:google:tensorflow:*:*:*:*:-:*:*:* | 2.1.0 (including) | 2.1.2 (excluding) |
| cpe:2.3:a:google:tensorflow:*:*:*:*:-:*:*:* | 2.2.0 (including) | 2.2.1 (excluding) |
| cpe:2.3:a:google:tensorflow:*:*:*:*:-:*:*:* | 2.3.0 (including) | 2.3.1 (excluding) |
| cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html
- https://github.com/tensorflow/tensorflow/commit/9a133d73ae4b4664d22bd1aa6d654fec13c52ee1
- https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q8gv-q7wr-9jf8