CVE-2020-15192 Information

Description

In Tensorflow before versions 2.2.1 and 2.3.1 if a user passes a list of strings to dlpack.to_dlpack there is a memory leak following an expected validation failure. The issue occurs because the status argument during validation failures is not properly checked. Since each of the above methods can return an error status the status value must be checked before continuing. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1 or 2.3.1.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Reference

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8 https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8fxw-76px-3rxv

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

LOW

Base Severity

4.3