CVE-2020-15207

Description

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mimic Python's indexing with negative values, TFLite uses `ResolveAxis` to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the `DCHECK` does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption. The issue is patched in commit 2d88f470dea2671b430884260f3626b1fe99830a, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

How to fix CVE-2020-15207

To remediate CVE-2020-15207, upgrade the affected package to a fixed version below.

—upgrade to 1.15.4 or later
—upgrade to 1.15.4 or later
—upgrade to 2d88f470dea2671b430884260f3626b1fe99830a or later
—upgrade to 2d88f470dea2671b430884260f3626b1fe99830a or later
—upgrade to 1.15.4 or later
—upgrade to 2d88f470dea2671b430884260f3626b1fe99830a or later
—upgrade to 1.15.4 or later

Is CVE-2020-15207 being exploited?

Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

from 0, < 1.15.4, >= 2.0.0, < 2.0.3, >= 2.1.0, < 2.1.2, >= 2.2.0, < 2.2.1, >= 2.3.0, < 2.3.1
from 0, < 1.15.4
from 0, < 2d88f470dea2671b430884260f3626b1fe99830a | from 0, < 1.15.4, >= 2.0.0, < 2.0.3, >= 2.1.0, < 2.1.2, >= 2.2.0, < 2.2.1, >= 2.3.0, < 2.3.1
from 0, < 2d88f470dea2671b430884260f3626b1fe99830a | from 0, < 1.15.4, >= 2.0.0, < 2.0.3, >= 2.1.0, < 2.1.2, >= 2.2.0, < 2.2.1, >= 2.3.0, < 2.3.1
from 0, < 1.15.4
from 0, < 2d88f470dea2671b430884260f3626b1fe99830a | from 0, < 1.15.4, >= 2.0.0, < 2.0.3, >= 2.1.0, < 2.1.2, >= 2.2.0, < 2.2.1, >= 2.3.0, < 2.3.1
from 0, < 1.15.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:H
osv	CVSS 3.1	HIGH8.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H