BIT-tensorflow-2020-26267

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/tensorflow/BIT-tensorflow-2020-26267.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-tensorflow-2020-26267

Aliases

Published

2024-03-06T11:20:17.433Z

Modified

2025-05-20T10:02:07.006Z

Summary

Lack of validation in data format attributes in TensorFlow

Details

In affected versions of TensorFlow the tf.rawops.DataFormatVecPermute API does not validate the srcformat and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.

Database specific

{
    "cpes": [
        "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / tensorflow

Package

Name: tensorflow
Purl: pkg:bitnami/tensorflow

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.15.5

Introduced

2.0.0

Fixed

2.0.4

Introduced

2.1.0

Fixed

2.1.3

Introduced

2.2.0

Fixed

2.2.2

Introduced

2.3.0

Fixed

2.3.2