CVE-2020-15265 Information

Description

In Tensorflow before version 2.4.0 an attacker can pass an invalid axis value to tf.quantization.quantize_and_dequantize. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However dim_size only does a DCHECK to validate the argument and then uses it to access the corresponding element of an array. Since in normal builds DCHECK-like macros are no-ops this results in segfault and access out of bounds of the array. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Reference

https://github.com/tensorflow/tensorflow/commit/eccb7ec454e6617738554a255d77f08e60ee0808 https://github.com/tensorflow/tensorflow/issues/42105 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rrfp-j2mp-hq9c

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

7.5