Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-15193 (GCVE-0-2020-15193)
Vulnerability from cvelistv5
Published
2020-09-25 18:40
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-908 - {"":"Use of Uninitialized Resource"}
Summary
In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tensorflow | tensorflow |
Version: = 2.2.0 Version: = 2.3.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.677Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8"
},
{
"name": "openSUSE-SU-2020:1766",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tensorflow",
"vendor": "tensorflow",
"versions": [
{
"status": "affected",
"version": "= 2.2.0"
},
{
"status": "affected",
"version": "= 2.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "{\"CWE-908\":\"Use of Uninitialized Resource\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-29T15:06:20",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8"
},
{
"name": "openSUSE-SU-2020:1766",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html"
}
],
"source": {
"advisory": "GHSA-rjjg-hgv6-h69v",
"discovery": "UNKNOWN"
},
"title": "Memory corruption in Tensorflow",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15193",
"STATE": "PUBLIC",
"TITLE": "Memory corruption in Tensorflow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "tensorflow",
"version": {
"version_data": [
{
"version_value": "= 2.2.0"
},
{
"version_value": "= 2.3.0"
}
]
}
}
]
},
"vendor_name": "tensorflow"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-908\":\"Use of Uninitialized Resource\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1",
"refsource": "MISC",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1"
},
{
"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v",
"refsource": "CONFIRM",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v"
},
{
"name": "https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8",
"refsource": "MISC",
"url": "https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8"
},
{
"name": "openSUSE-SU-2020:1766",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html"
}
]
},
"source": {
"advisory": "GHSA-rjjg-hgv6-h69v",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15193",
"datePublished": "2020-09-25T18:40:51",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2020-15193\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-09-25T19:15:14.573\",\"lastModified\":\"2024-11-21T05:05:03.037\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.\"},{\"lang\":\"es\",\"value\":\"En Tensorflow versiones anteriores a 2.2.1 y 2.3.1, la implementaci\u00f3n de \\\"dlpack.to_dlpack\\\" puede ser realizada para usar la memoria no inicializada, lo que resulta en una mayor corrupci\u00f3n de la memoria.\u0026#xa0;Esto es debido a que el c\u00f3digo adhesivo pybind11 asume que el argumento es un tensor.\u0026#xa0;Sin embargo, no existe nada que impida que los usuarios pasen un objeto Python en lugar de un tensor.\u0026#xa0;La direcci\u00f3n de memoria no inicializada es debido a un \\\"reinterpret_cast\\\" Dado que el \\\"PyObject\\\" es un objeto de Python, no un Tensor de TensorFlow, la conversi\u00f3n a \\\"EagerTensor\\\" presenta un fallo.\u0026#xa0;El problema es parcheado en el commit 22e07fb204386768e5bcbea563641ea11f96ceb8 y es publicado en TensorFlow versiones 2.2.1 o 2.3.1\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:P\",\"baseScore\":5.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-908\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-908\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:tensorflow:2.2.0:*:*:*:-:*:*:*\",\"matchCriteriaId\":\"FB9BCD7D-1626-429F-B479-7D2F1E46B9C4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:tensorflow:2.3.0:*:*:*:-:*:*:*\",\"matchCriteriaId\":\"D0A7B69E-9388-48F0-B744-49453EBAF5D5\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B009C22E-30A4-4288-BCF6-C3E81DEAF45A\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
}
}
pysec-2020-308
Vulnerability from pysec
Published
2020-09-25 19:15
Modified
2021-12-09 06:35
Details
In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of dlpack.to_dlpack can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a reinterpret_cast Since the PyObject is a Python object, not a TensorFlow Tensor, the cast to EagerTensor fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.
Impacted products
| Name | purl | tensorflow-gpu | pkg:pypi/tensorflow-gpu |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu",
"purl": "pkg:pypi/tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "22e07fb204386768e5bcbea563641ea11f96ceb8"
}
],
"repo": "https://github.com/tensorflow/tensorflow",
"type": "GIT"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.1"
},
{
"introduced": "2.3.0rc0"
},
{
"fixed": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.12.0",
"0.12.1",
"1.0.0",
"1.0.1",
"1.1.0",
"1.10.0",
"1.10.1",
"1.11.0",
"1.12.0",
"1.12.2",
"1.12.3",
"1.13.1",
"1.13.2",
"1.14.0",
"1.15.0",
"1.15.2",
"1.15.3",
"1.15.4",
"1.15.5",
"1.2.0",
"1.2.1",
"1.3.0",
"1.4.0",
"1.4.1",
"1.5.0",
"1.5.1",
"1.6.0",
"1.7.0",
"1.7.1",
"1.8.0",
"1.9.0",
"2.0.0",
"2.0.1",
"2.0.2",
"2.0.3",
"2.0.4",
"2.1.0",
"2.1.1",
"2.1.2",
"2.1.3",
"2.1.4",
"2.2.0",
"2.3.0"
]
}
],
"aliases": [
"CVE-2020-15193",
"GHSA-rjjg-hgv6-h69v"
],
"details": "In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.",
"id": "PYSEC-2020-308",
"modified": "2021-12-09T06:35:12.446415Z",
"published": "2020-09-25T19:15:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1"
},
{
"type": "ADVISORY",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v"
},
{
"type": "FIX",
"url": "https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html"
}
]
}
pysec-2020-116
Vulnerability from pysec
Published
2020-09-25 19:15
Modified
2021-09-01 08:19
Details
In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of dlpack.to_dlpack can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a reinterpret_cast Since the PyObject is a Python object, not a TensorFlow Tensor, the cast to EagerTensor fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.
Impacted products
| Name | purl | tensorflow | pkg:pypi/tensorflow |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow",
"purl": "pkg:pypi/tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "22e07fb204386768e5bcbea563641ea11f96ceb8"
}
],
"repo": "https://github.com/tensorflow/tensorflow",
"type": "GIT"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.1"
},
{
"introduced": "2.3.0rc0"
},
{
"fixed": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.12.0rc0",
"0.12.0rc1",
"0.12.0",
"0.12.1",
"1.0.0",
"1.0.1",
"1.1.0rc0",
"1.1.0rc1",
"1.1.0rc2",
"1.1.0",
"1.2.0rc0",
"1.2.0rc1",
"1.2.0rc2",
"1.2.0",
"1.2.1",
"1.3.0rc0",
"1.3.0rc1",
"1.3.0rc2",
"1.3.0",
"1.4.0rc0",
"1.4.0rc1",
"1.4.0",
"1.4.1",
"1.5.0rc0",
"1.5.0rc1",
"1.5.0",
"1.5.1",
"1.6.0rc0",
"1.6.0rc1",
"1.6.0",
"1.7.0rc0",
"1.7.0rc1",
"1.7.0",
"1.7.1",
"1.8.0rc0",
"1.8.0rc1",
"1.8.0",
"1.9.0rc0",
"1.9.0rc1",
"1.9.0rc2",
"1.9.0",
"1.10.0rc0",
"1.10.0rc1",
"1.10.0",
"1.10.1",
"1.11.0rc0",
"1.11.0rc1",
"1.11.0rc2",
"1.11.0",
"1.12.0rc0",
"1.12.0rc1",
"1.12.0rc2",
"1.12.0",
"1.12.2",
"1.12.3",
"1.13.0rc0",
"1.13.0rc1",
"1.13.0rc2",
"1.13.1",
"1.13.2",
"1.14.0rc0",
"1.14.0rc1",
"1.14.0",
"1.15.0rc0",
"1.15.0rc1",
"1.15.0rc2",
"1.15.0rc3",
"1.15.0",
"1.15.2",
"1.15.3",
"1.15.4",
"1.15.5",
"2.0.0a0",
"2.0.0b0",
"2.0.0b1",
"2.0.0rc0",
"2.0.0rc1",
"2.0.0rc2",
"2.0.0",
"2.0.1",
"2.0.2",
"2.0.3",
"2.0.4",
"2.1.0rc0",
"2.1.0rc1",
"2.1.0rc2",
"2.1.0",
"2.1.1",
"2.1.2",
"2.1.3",
"2.2.0rc0",
"2.2.0rc1",
"2.2.0rc2",
"2.2.0rc3",
"2.2.0rc4",
"2.2.0",
"2.3.0rc0",
"2.3.0rc1",
"2.3.0rc2",
"2.3.0",
"2.1.4"
]
}
],
"aliases": [
"CVE-2020-15193",
"GHSA-rjjg-hgv6-h69v"
],
"details": "In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.",
"id": "PYSEC-2020-116",
"modified": "2021-09-01T08:19:32.562362Z",
"published": "2020-09-25T19:15:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1"
},
{
"type": "ADVISORY",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v"
},
{
"type": "FIX",
"url": "https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html"
}
]
}
pysec-2020-273
Vulnerability from pysec
Published
2020-09-25 19:15
Modified
2021-12-09 06:34
Details
In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of dlpack.to_dlpack can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a reinterpret_cast Since the PyObject is a Python object, not a TensorFlow Tensor, the cast to EagerTensor fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.
Impacted products
| Name | purl | tensorflow-cpu | pkg:pypi/tensorflow-cpu |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu",
"purl": "pkg:pypi/tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "22e07fb204386768e5bcbea563641ea11f96ceb8"
}
],
"repo": "https://github.com/tensorflow/tensorflow",
"type": "GIT"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.1"
},
{
"introduced": "2.3.0rc0"
},
{
"fixed": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.15.0",
"2.1.0",
"2.1.1",
"2.1.2",
"2.1.3",
"2.1.4",
"2.2.0",
"2.3.0"
]
}
],
"aliases": [
"CVE-2020-15193",
"GHSA-rjjg-hgv6-h69v"
],
"details": "In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.",
"id": "PYSEC-2020-273",
"modified": "2021-12-09T06:34:40.985674Z",
"published": "2020-09-25T19:15:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1"
},
{
"type": "ADVISORY",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v"
},
{
"type": "FIX",
"url": "https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html"
}
]
}
opensuse-su-2020:1766-1
Vulnerability from csaf_opensuse
Published
2020-10-29 11:23
Modified
2020-10-29 11:23
Summary
Security update for tensorflow2
Notes
Title of the patch
Security update for tensorflow2
Description of the patch
This update for tensorflow2 fixes the following issues:
- updated to 2.1.2 with following fixes (boo#1177022):
* Fixes an undefined behavior causing a segfault in tf.raw_ops.Switch (CVE-2020-15190)
* Fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193)
* Fixes two vulnerabilities in SparseFillEmptyRowsGrad (CVE-2020-15194, CVE-2020-15195)
* Fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202)
* Fixes a format string vulnerability in tf.strings.as_string (CVE-2020-15203)
* Fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204)
* Fixes data leak and potential ASLR violation from tf.raw_ops.StringNGrams (CVE-2020-15205)
* Fixes segfaults caused by incomplete SavedModel validation (CVE-2020-15206)
* Fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207)
* Fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208)
* Fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211)
Patchnames
openSUSE-2020-1766
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for tensorflow2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for tensorflow2 fixes the following issues:\n\n- updated to 2.1.2 with following fixes (boo#1177022):\n * Fixes an undefined behavior causing a segfault in tf.raw_ops.Switch (CVE-2020-15190)\n * Fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193)\n * Fixes two vulnerabilities in SparseFillEmptyRowsGrad (CVE-2020-15194, CVE-2020-15195)\n * Fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202)\n * Fixes a format string vulnerability in tf.strings.as_string (CVE-2020-15203)\n * Fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204)\n * Fixes data leak and potential ASLR violation from tf.raw_ops.StringNGrams (CVE-2020-15205)\n * Fixes segfaults caused by incomplete SavedModel validation (CVE-2020-15206)\n * Fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207)\n * Fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208)\n * Fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-1766",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1766-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:1766-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TNMEEN772D6LWSHNB64QFB5TB3CZZEF4/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:1766-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TNMEEN772D6LWSHNB64QFB5TB3CZZEF4/"
},
{
"category": "self",
"summary": "SUSE Bug 1173314",
"url": "https://bugzilla.suse.com/1173314"
},
{
"category": "self",
"summary": "SUSE Bug 1175099",
"url": "https://bugzilla.suse.com/1175099"
},
{
"category": "self",
"summary": "SUSE Bug 1175789",
"url": "https://bugzilla.suse.com/1175789"
},
{
"category": "self",
"summary": "SUSE Bug 1177022",
"url": "https://bugzilla.suse.com/1177022"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15190 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15190/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15191 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15191/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15192 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15192/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15193 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15193/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15194 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15194/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15195 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15195/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15202 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15202/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15203 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15203/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15204 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15204/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15205 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15205/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15206 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15206/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15207 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15207/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15208 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15208/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15209 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15209/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15210 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15210/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15211 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15211/"
}
],
"title": "Security update for tensorflow2",
"tracking": {
"current_release_date": "2020-10-29T11:23:39Z",
"generator": {
"date": "2020-10-29T11:23:39Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:1766-1",
"initial_release_date": "2020-10-29T11:23:39Z",
"revision_history": [
{
"date": "2020-10-29T11:23:39Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"product_id": "libtensorflow2-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"product_id": "libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"product_id": "libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"product_id": "libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"product_id": "libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"product_id": "libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"product_id": "libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"product_id": "libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"product_id": "libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"product_id": "tensorflow2-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"product_id": "tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"product_id": "tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"product_id": "tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"product_id": "tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"product_id": "tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"product_id": "tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"product_id": "tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"product_id": "tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"product_id": "tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"product_id": "tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"product_id": "tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"product": {
"name": "tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"product_id": "tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "libtensorflow2-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow2-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
},
"product_reference": "tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-15190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15190"
}
],
"notes": [
{
"category": "general",
"text": "In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `tf.raw_ops.Switch` operation takes as input a tensor and a boolean and outputs two tensors. Depending on the boolean value, one of the tensors is exactly the input tensor whereas the other one should be an empty tensor. However, the eager runtime traverses all tensors in the output. Since only one of the tensors is defined, the other one is `nullptr`, hence we are binding a reference to `nullptr`. This is undefined behavior and reported as an error if compiling with `-fsanitize=null`. In this case, this results in a segmentation fault The issue is patched in commit da8558533d925694483d2c136a9220d6d49d843c, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15190",
"url": "https://www.suse.com/security/cve/CVE-2020-15190"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-29T11:23:39Z",
"details": "moderate"
}
],
"title": "CVE-2020-15190"
},
{
"cve": "CVE-2020-15191",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15191"
}
],
"notes": [
{
"category": "general",
"text": "In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes an invalid argument to `dlpack.to_dlpack` the expected validations will cause variables to bind to `nullptr` while setting a `status` variable to the error condition. However, this `status` argument is not properly checked. Hence, code following these methods will bind references to null pointers. This is undefined behavior and reported as an error if compiling with `-fsanitize=null`. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15191",
"url": "https://www.suse.com/security/cve/CVE-2020-15191"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-29T11:23:39Z",
"details": "moderate"
}
],
"title": "CVE-2020-15191"
},
{
"cve": "CVE-2020-15192",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15192"
}
],
"notes": [
{
"category": "general",
"text": "In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes a list of strings to `dlpack.to_dlpack` there is a memory leak following an expected validation failure. The issue occurs because the `status` argument during validation failures is not properly checked. Since each of the above methods can return an error status, the `status` value must be checked before continuing. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15192",
"url": "https://www.suse.com/security/cve/CVE-2020-15192"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-29T11:23:39Z",
"details": "moderate"
}
],
"title": "CVE-2020-15192"
},
{
"cve": "CVE-2020-15193",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15193"
}
],
"notes": [
{
"category": "general",
"text": "In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15193",
"url": "https://www.suse.com/security/cve/CVE-2020-15193"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-29T11:23:39Z",
"details": "moderate"
}
],
"title": "CVE-2020-15193"
},
{
"cve": "CVE-2020-15194",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15194"
}
],
"notes": [
{
"category": "general",
"text": "In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `SparseFillEmptyRowsGrad` implementation has incomplete validation of the shapes of its arguments. Although `reverse_index_map_t` and `grad_values_t` are accessed in a similar pattern, only `reverse_index_map_t` is validated to be of proper shape. Hence, malicious users can pass a bad `grad_values_t` to trigger an assertion failure in `vec`, causing denial of service in serving installations. The issue is patched in commit 390611e0d45c5793c7066110af37c8514e6a6c54, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.\"",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15194",
"url": "https://www.suse.com/security/cve/CVE-2020-15194"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-29T11:23:39Z",
"details": "moderate"
}
],
"title": "CVE-2020-15194"
},
{
"cve": "CVE-2020-15195",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15195"
}
],
"notes": [
{
"category": "general",
"text": "In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the implementation of `SparseFillEmptyRowsGrad` uses a double indexing pattern. It is possible for `reverse_index_map(i)` to be an index outside of bounds of `grad_values`, thus resulting in a heap buffer overflow. The issue is patched in commit 390611e0d45c5793c7066110af37c8514e6a6c54, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15195",
"url": "https://www.suse.com/security/cve/CVE-2020-15195"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-29T11:23:39Z",
"details": "moderate"
}
],
"title": "CVE-2020-15195"
},
{
"cve": "CVE-2020-15202",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15202"
}
],
"notes": [
{
"category": "general",
"text": "In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `Shard` API in TensorFlow expects the last argument to be a function taking two `int64` (i.e., `long long`) arguments. However, there are several places in TensorFlow where a lambda taking `int` or `int32` arguments is being used. In these cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on how the two arguments of the lambda are used, this can result in segfaults, read/write outside of heap allocated arrays, stack overflows, or data corruption. The issue is patched in commits 27b417360cbd671ef55915e4bb6bb06af8b8a832 and ca8c013b5e97b1373b3bb1c97ea655e69f31a575, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15202",
"url": "https://www.suse.com/security/cve/CVE-2020-15202"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-29T11:23:39Z",
"details": "moderate"
}
],
"title": "CVE-2020-15202"
},
{
"cve": "CVE-2020-15203",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15203"
}
],
"notes": [
{
"category": "general",
"text": "In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the `fill` argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a `printf` call is constructed. This may result in segmentation fault. The issue is patched in commit 33be22c65d86256e6826666662e40dbdfe70ee83, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15203",
"url": "https://www.suse.com/security/cve/CVE-2020-15203"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-29T11:23:39Z",
"details": "moderate"
}
],
"title": "CVE-2020-15203"
},
{
"cve": "CVE-2020-15204",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15204"
}
],
"notes": [
{
"category": "general",
"text": "In eager mode, TensorFlow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 does not set the session state. Hence, calling `tf.raw_ops.GetSessionHandle` or `tf.raw_ops.GetSessionHandleV2` results in a null pointer dereference In linked snippet, in eager mode, `ctx-\u003esession_state()` returns `nullptr`. Since code immediately dereferences this, we get a segmentation fault. The issue is patched in commit 9a133d73ae4b4664d22bd1aa6d654fec13c52ee1, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15204",
"url": "https://www.suse.com/security/cve/CVE-2020-15204"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-29T11:23:39Z",
"details": "moderate"
}
],
"title": "CVE-2020-15204"
},
{
"cve": "CVE-2020-15205",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15205"
}
],
"notes": [
{
"category": "general",
"text": "In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `data_splits` argument of `tf.raw_ops.StringNGrams` lacks validation. This allows a user to pass values that can cause heap overflow errors and even leak contents of memory In the linked code snippet, all the binary strings after `ee ff` are contents from the memory stack. Since these can contain return addresses, this data leak can be used to defeat ASLR. The issue is patched in commit 0462de5b544ed4731aa2fb23946ac22c01856b80, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15205",
"url": "https://www.suse.com/security/cve/CVE-2020-15205"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-29T11:23:39Z",
"details": "important"
}
],
"title": "CVE-2020-15205"
},
{
"cve": "CVE-2020-15206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15206"
}
],
"notes": [
{
"category": "general",
"text": "In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, changing the TensorFlow\u0027s `SavedModel` protocol buffer and altering the name of required keys results in segfaults and data corruption while loading the model. This can cause a denial of service in products using `tensorflow-serving` or other inference-as-a-service installments. Fixed were added in commits f760f88b4267d981e13f4b302c437ae800445968 and fcfef195637c6e365577829c4d67681695956e7d (both going into TensorFlow 2.2.0 and 2.3.0 but not yet backported to earlier versions). However, this was not enough, as #41097 reports a different failure mode. The issue is patched in commit adf095206f25471e864a8e63a0f1caef53a0e3a6, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15206",
"url": "https://www.suse.com/security/cve/CVE-2020-15206"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-29T11:23:39Z",
"details": "moderate"
}
],
"title": "CVE-2020-15206"
},
{
"cve": "CVE-2020-15207",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15207"
}
],
"notes": [
{
"category": "general",
"text": "In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mimic Python\u0027s indexing with negative values, TFLite uses `ResolveAxis` to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the `DCHECK` does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption. The issue is patched in commit 2d88f470dea2671b430884260f3626b1fe99830a, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15207",
"url": "https://www.suse.com/security/cve/CVE-2020-15207"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-29T11:23:39Z",
"details": "critical"
}
],
"title": "CVE-2020-15207"
},
{
"cve": "CVE-2020-15208",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15208"
}
],
"notes": [
{
"category": "general",
"text": "In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can craft cases where this is larger than that of the second tensor. In turn, this would result in reads/writes outside of bounds since the interpreter will wrongly assume that there is enough data in both tensors. The issue is patched in commit 8ee24e7949a203d234489f9da2c5bf45a7d5157d, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15208",
"url": "https://www.suse.com/security/cve/CVE-2020-15208"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-29T11:23:39Z",
"details": "important"
}
],
"title": "CVE-2020-15208"
},
{
"cve": "CVE-2020-15209",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15209"
}
],
"notes": [
{
"category": "general",
"text": "In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one. The runtime assumes that these buffers are written to before a possible read, hence they are initialized with `nullptr`. However, by changing the buffer index for a tensor and implicitly converting that tensor to be a read-write one, as there is nothing in the model that writes to it, we get a null pointer dereference. The issue is patched in commit 0b5662bc, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15209",
"url": "https://www.suse.com/security/cve/CVE-2020-15209"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-29T11:23:39Z",
"details": "moderate"
}
],
"title": "CVE-2020-15209"
},
{
"cve": "CVE-2020-15210",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15210"
}
],
"notes": [
{
"category": "general",
"text": "In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and will release patch releases for all versions between 1.15 and 2.3. We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15210",
"url": "https://www.suse.com/security/cve/CVE-2020-15210"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-29T11:23:39Z",
"details": "moderate"
}
],
"title": "CVE-2020-15210"
},
{
"cve": "CVE-2020-15211",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15211"
}
],
"notes": [
{
"category": "general",
"text": "In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices for the tensors, indexing into an array of tensors that is owned by the subgraph. This results in a pattern of double array indexing when trying to get the data of each tensor. However, some operators can have some tensors be optional. To handle this scenario, the flatbuffer model uses a negative `-1` value as index for these tensors. This results in special casing during validation at model loading time. Unfortunately, this means that the `-1` index is a valid tensor index for any operator, including those that don\u0027t expect optional inputs and including for output tensors. Thus, this allows writing and reading from outside the bounds of heap allocated arrays, although only at a specific offset from the start of these arrays. This results in both read and write gadgets, albeit very limited in scope. The issue is patched in several commits (46d5b0852, 00302787b7, e11f5558, cd31fd0ce, 1970c21, and fff2c83), and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. A potential workaround would be to add a custom `Verifier` to the model loading code to ensure that only operators which accept optional inputs use the `-1` special value and only for the tensors that they expect to be optional. Since this allow-list type approach is erro-prone, we advise upgrading to the patched code.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15211",
"url": "https://www.suse.com/security/cve/CVE-2020-15211"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:libtensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_cc2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:libtensorflow_framework2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2-lite-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-hpc-doc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-devel-2.1.2-lp152.7.3.1.x86_64",
"openSUSE Leap 15.2:tensorflow2_2_1_2-gnu-openmpi2-hpc-doc-2.1.2-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-29T11:23:39Z",
"details": "moderate"
}
],
"title": "CVE-2020-15211"
}
]
}
ghsa-rjjg-hgv6-h69v
Vulnerability from github
Published
2020-09-25 18:28
Modified
2024-10-28 20:17
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
VLAI Severity ?
Summary
Memory corruption in Tensorflow
Details
Impact
The implementation of dlpack.to_dlpack can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor:
https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/python/tfe_wrapper.cc#L1361
However, there is nothing stopping users from passing in a Python object instead of a tensor.
python
In [2]: tf.experimental.dlpack.to_dlpack([2])
==1720623==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x55b0ba5c410a in tensorflow::(anonymous namespace)::GetTensorFromHandle(TFE_TensorHandle*, TF_Status*) third_party/tensorflow/c/eager/dlpack.cc:46:7
#1 0x55b0ba5c38f4 in tensorflow::TFE_HandleToDLPack(TFE_TensorHandle*, TF_Status*) third_party/tensorflow/c/eager/dlpack.cc:252:26
...
The uninitialized memory address is due to a reinterpret_cast
https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/python/eager/pywrap_tensor.cc#L848-L850
Since the PyObject is a Python object, not a TensorFlow Tensor, the cast to EagerTensor fails.
Patches
We have patched the issue in 22e07fb204386768e5bcbea563641ea11f96ceb8 and will release a patch release for all affected versions.
We recommend users to upgrade to TensorFlow 2.2.1 or 2.3.1.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.3.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.3.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.3.0"
]
}
],
"aliases": [
"CVE-2020-15193"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": true,
"github_reviewed_at": "2020-09-25T17:08:13Z",
"nvd_published_at": "2020-09-25T19:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThe implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor:\nhttps://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/python/tfe_wrapper.cc#L1361\n\nHowever, there is nothing stopping users from passing in a Python object instead of a tensor.\n```python\nIn [2]: tf.experimental.dlpack.to_dlpack([2]) \n==1720623==WARNING: MemorySanitizer: use-of-uninitialized-value \n #0 0x55b0ba5c410a in tensorflow::(anonymous namespace)::GetTensorFromHandle(TFE_TensorHandle*, TF_Status*) third_party/tensorflow/c/eager/dlpack.cc:46:7\n #1 0x55b0ba5c38f4 in tensorflow::TFE_HandleToDLPack(TFE_TensorHandle*, TF_Status*) third_party/tensorflow/c/eager/dlpack.cc:252:26\n... \n```\n\nThe uninitialized memory address is due to a `reinterpret_cast`\nhttps://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/python/eager/pywrap_tensor.cc#L848-L850\n\nSince the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. \n\n### Patches\nWe have patched the issue in 22e07fb204386768e5bcbea563641ea11f96ceb8 and will release a patch release for all affected versions.\n\nWe recommend users to upgrade to TensorFlow 2.2.1 or 2.3.1.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by members of the Aivul Team from Qihoo 360.",
"id": "GHSA-rjjg-hgv6-h69v",
"modified": "2024-10-28T20:17:48Z",
"published": "2020-09-25T18:28:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15193"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2020-273.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2020-308.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2020-116.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Memory corruption in Tensorflow"
}
fkie_cve-2020-15193
Vulnerability from fkie_nvd
Published
2020-09-25 19:15
Modified
2024-11-21 05:05
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Summary
In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html | Mailing List, Third Party Advisory | |
| security-advisories@github.com | https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1 | Third Party Advisory | |
| security-advisories@github.com | https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tensorflow | 2.2.0 | ||
| tensorflow | 2.3.0 | ||
| opensuse | leap | 15.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:google:tensorflow:2.2.0:*:*:*:-:*:*:*",
"matchCriteriaId": "FB9BCD7D-1626-429F-B479-7D2F1E46B9C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:tensorflow:2.3.0:*:*:*:-:*:*:*",
"matchCriteriaId": "D0A7B69E-9388-48F0-B744-49453EBAF5D5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1."
},
{
"lang": "es",
"value": "En Tensorflow versiones anteriores a 2.2.1 y 2.3.1, la implementaci\u00f3n de \"dlpack.to_dlpack\" puede ser realizada para usar la memoria no inicializada, lo que resulta en una mayor corrupci\u00f3n de la memoria.\u0026#xa0;Esto es debido a que el c\u00f3digo adhesivo pybind11 asume que el argumento es un tensor.\u0026#xa0;Sin embargo, no existe nada que impida que los usuarios pasen un objeto Python en lugar de un tensor.\u0026#xa0;La direcci\u00f3n de memoria no inicializada es debido a un \"reinterpret_cast\" Dado que el \"PyObject\" es un objeto de Python, no un Tensor de TensorFlow, la conversi\u00f3n a \"EagerTensor\" presenta un fallo.\u0026#xa0;El problema es parcheado en el commit 22e07fb204386768e5bcbea563641ea11f96ceb8 y es publicado en TensorFlow versiones 2.2.1 o 2.3.1"
}
],
"id": "CVE-2020-15193",
"lastModified": "2024-11-21T05:05:03.037",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-25T19:15:14.573",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-908"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-908"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
gsd-2020-15193
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-15193",
"description": "In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.",
"id": "GSD-2020-15193",
"references": [
"https://www.suse.com/security/cve/CVE-2020-15193.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-15193"
],
"details": "In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.",
"id": "GSD-2020-15193",
"modified": "2023-12-13T01:21:43.808945Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15193",
"STATE": "PUBLIC",
"TITLE": "Memory corruption in Tensorflow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "tensorflow",
"version": {
"version_data": [
{
"version_value": "= 2.2.0"
},
{
"version_value": "= 2.3.0"
}
]
}
}
]
},
"vendor_name": "tensorflow"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-908\":\"Use of Uninitialized Resource\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1",
"refsource": "MISC",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1"
},
{
"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v",
"refsource": "CONFIRM",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v"
},
{
"name": "https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8",
"refsource": "MISC",
"url": "https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8"
},
{
"name": "openSUSE-SU-2020:1766",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html"
}
]
},
"source": {
"advisory": "GHSA-rjjg-hgv6-h69v",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=2.2.0,\u003c=2.3.0",
"affected_versions": "All versions starting from 2.2.0 up to 2.3.0",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"cwe_ids": [
"CWE-1035",
"CWE-908",
"CWE-937"
],
"date": "2020-10-29",
"description": "In Tensorflow, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails.",
"fixed_versions": [
"2.3.1"
],
"identifier": "CVE-2020-15193",
"identifiers": [
"CVE-2020-15193",
"GHSA-rjjg-hgv6-h69v"
],
"not_impacted": "All versions before 2.2.0, all versions after 2.3.0",
"package_slug": "pypi/tensorflow-cpu",
"pubdate": "2020-09-25",
"solution": "Upgrade to version 2.3.1 or above.",
"title": "Use of Uninitialized Resource",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-15193"
],
"uuid": "2d9a648c-67be-4ced-9b5c-5ca47b6cc2a7"
},
{
"affected_range": "\u003e=2.2.0,\u003c=2.3.0",
"affected_versions": "All versions starting from 2.2.0 up to 2.3.0",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"cwe_ids": [
"CWE-1035",
"CWE-908",
"CWE-937"
],
"date": "2020-10-29",
"description": "In Tensorflow, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails.",
"fixed_versions": [
"2.3.1"
],
"identifier": "CVE-2020-15193",
"identifiers": [
"CVE-2020-15193",
"GHSA-rjjg-hgv6-h69v"
],
"not_impacted": "All versions before 2.2.0, all versions after 2.3.0",
"package_slug": "pypi/tensorflow-gpu",
"pubdate": "2020-09-25",
"solution": "Upgrade to version 2.3.1 or above.",
"title": "Use of Uninitialized Resource",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-15193"
],
"uuid": "8251c91c-9f66-4c9b-b4cb-1a56c94bdd82"
},
{
"affected_range": "\u003e=2.2.0,\u003c=2.3.0",
"affected_versions": "All versions starting from 2.2.0 up to 2.3.0",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"cwe_ids": [
"CWE-1035",
"CWE-908",
"CWE-937"
],
"date": "2021-11-18",
"description": "In Tensorflow, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails.",
"fixed_versions": [
"2.3.1"
],
"identifier": "CVE-2020-15193",
"identifiers": [
"CVE-2020-15193",
"GHSA-rjjg-hgv6-h69v"
],
"not_impacted": "All versions before 2.2.0, all versions after 2.3.0",
"package_slug": "pypi/tensorflow",
"pubdate": "2020-09-25",
"solution": "Upgrade to version 2.3.1 or above.",
"title": "Use of Uninitialized Resource",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-15193"
],
"uuid": "69d9bbeb-6d02-4319-a55f-ca6db0658dd8"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:google:tensorflow:2.2.0:*:*:*:-:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:tensorflow:2.3.0:*:*:*:-:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15193"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-908"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1"
},
{
"name": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v"
},
{
"name": "https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8"
},
{
"name": "openSUSE-SU-2020:1766",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2
}
},
"lastModifiedDate": "2021-11-18T17:20Z",
"publishedDate": "2020-09-25T19:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…