CVE-2020-15203
Denial of Service in Tensorflow
7.5
HIGH
CVSS 3.1
EPSS 0.36%
Description
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the `fill` argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a `printf` call is constructed. This may result in segmentation fault. The issue is patched in commit 33be22c65d86256e6826666662e40dbdfe70ee83, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
How to fix CVE-2020-15203
To remediate CVE-2020-15203, upgrade the affected package to a fixed version below.
- —upgrade to 1.15.4 or later
- —upgrade to 1.15.4 or later
- —upgrade to 33be22c65d86256e6826666662e40dbdfe70ee83 or later
- —upgrade to 33be22c65d86256e6826666662e40dbdfe70ee83 or later
- —upgrade to 1.15.4 or later
- —upgrade to 33be22c65d86256e6826666662e40dbdfe70ee83 or later
- —upgrade to 1.15.4 or later
Is CVE-2020-15203 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (7)
- from 0, < 1.15.4, >= 2.0.0, < 2.0.3, >= 2.1.0, < 2.1.2, >= 2.2.0, < 2.2.1, >= 2.3.0, < 2.3.1
- from 0, < 1.15.4
- from 0, < 33be22c65d86256e6826666662e40dbdfe70ee83 | from 0, < 1.15.4, >= 2.0.0, < 2.0.3, >= 2.1.0, < 2.1.2, >= 2.2.0, < 2.2.1, >= 2.3.0, < 2.3.1
- from 0, < 33be22c65d86256e6826666662e40dbdfe70ee83 | from 0, < 1.15.4, >= 2.0.0, < 2.0.3, >= 2.1.0, < 2.1.2, >= 2.2.0, < 2.2.1, >= 2.3.0, < 2.3.1
- from 0, < 1.15.4
- from 0, < 33be22c65d86256e6826666662e40dbdfe70ee83 | from 0, < 1.15.4, >= 2.0.0, < 2.0.3, >= 2.1.0, < 2.1.2, >= 2.2.0, < 2.2.1, >= 2.3.0, < 2.3.1
- from 0, < 1.15.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |