<p>Upgrade <code>tensorflow</code> to version 1.15.4, 2.0.3, 2.1.2, 2.2.1, 2.3.1 or higher.</p>

Out-of-Bounds Affecting tensorflow package, versions [,1.15.4) [2.0.0, 2.0.3) [2.1.0, 2.1.2) [2.2.0, 2.2.1) [2.3.0, 2.3.1)

Snyk CVSS

Attack Complexity High

Threat Intelligence

EPSS 0.18% (55^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-TENSORFLOW-1013583
published 29 Sep 2020
disclosed 28 Sep 2020
credit Aivul Team from Qihoo 36

Report a new vulnerability Found a mistake?

Introduced: 28 Sep 2020

CVE-2020-15211 Open this link in a new tab CWE-119 Open this link in a new tab

How to fix?

Upgrade tensorflow to version 1.15.4, 2.0.3, 2.1.2, 2.2.1, 2.3.1 or higher.

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Out-of-Bounds. During validation at model loading time. the -1 index is a valid tensor index for any operator, including those that don't expect optional inputs and including for output tensors. This allows writing and reading from outside the bounds of heap allocated arrays, although only at a specific offset from the start of these arrays. This results in both read and write gadgets, albeit very limited in scope.