CVE-2020-15196

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-15196
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15196.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-15196
Aliases
Related
Published
2020-09-25T19:15:14Z
Modified
2025-10-15T12:24:40.835056Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In Tensorflow version 2.3.0, the SparseCountSparseOutput and RaggedCountSparseOutput implementations don't validate that the weights tensor has the same shape as the data. The check exists for DenseCountSparseOutput, where both tensors are fully specified. In the sparse and ragged count weights are still accessed in parallel with the data. But, since there is no validation, a user passing fewer weights than the values for the tensors can generate a read from outside the bounds of the heap buffer allocated for the weights. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1.

References

Affected packages

Git / github.com/tensorflow/tensorflow

Affected ranges

Type
GIT
Repo
https://github.com/tensorflow/tensorflow
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3cbb917b4714766030b28eba9fb41bb97ce9ee02
Fixed
fcc4b966f1265f466e82617020af93670141b009

Affected versions

0.*

0.12.0-rc0
0.12.0-rc1
0.12.1
0.5.0
0.6.0

v0.*

v0.10.0
v0.10.0rc0
v0.11.0
v0.11.0rc0
v0.11.0rc1
v0.11.0rc2
v0.12.0
v0.7.0
v0.7.1
v0.8.0rc0
v0.9.0
v0.9.0rc0

v1.*

v1.0.0
v1.0.0-alpha
v1.0.0-rc0
v1.0.0-rc1
v1.0.0-rc2
v1.1.0
v1.1.0-rc0
v1.1.0-rc1
v1.1.0-rc2
v1.12.0
v1.12.0-rc0
v1.12.0-rc1
v1.12.0-rc2
v1.12.1
v1.2.0
v1.2.0-rc0
v1.2.0-rc1
v1.2.0-rc2
v1.3.0-rc0
v1.3.0-rc1
v1.5.0
v1.5.0-rc0
v1.5.0-rc1
v1.6.0
v1.6.0-rc0
v1.6.0-rc1
v1.7.0
v1.7.0-rc0
v1.7.0-rc1
v1.8.0
v1.8.0-rc0
v1.8.0-rc1
v1.9.0
v1.9.0-rc0
v1.9.0-rc1
v1.9.0-rc2

v2.*

v2.3.0
v2.3.0-rc0
v2.3.0-rc1
v2.3.0-rc2

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "tensorflow/core/kernels/count_ops.cc"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "194455449804247006546970132492779615094",
                "178731129031260204571627040095543599818",
                "22442231680206585208932878058814312758",
                "146741406298267783987235037807096346951",
                "270064729730618086481934325402793011741",
                "329344782668638107157103525047366598930",
                "285728407237300076804994927600394619637",
                "310080866930792095910778699557952768464",
                "273815884519049275176915647183401088747",
                "281569265756867032329963835068941296722",
                "59438575670218216172183450249341417337",
                "59397343641890017345404701263589996852",
                "43962453346651511293497165677412754359",
                "137531346914510616513168760830676577742"
            ]
        },
        "id": "CVE-2020-15196-9a90de26"
    }
]