CVE-2020-15200

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-15200
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15200.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-15200
Aliases
Related
Published
2020-09-25T19:15:15Z
Modified
2025-10-21T06:01:58.460675Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In Tensorflow before version 2.3.1, the RaggedCountSparseOutput implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the splits tensor generate a valid partitioning of the values tensor. Thus, the code sets up conditions to cause a heap buffer overflow. A BatchedMap is equivalent to a vector where each element is a hashmap. However, if the first element of splits_values is not 0, batch_idx will never be 1, hence there will be no hashmap at index 0 in per_batch_counts. Trying to access that in the user code results in a segmentation fault. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1.

References

Affected packages

Git / github.com/tensorflow/tensorflow

Affected ranges

Type
GIT
Repo
https://github.com/tensorflow/tensorflow
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3cbb917b4714766030b28eba9fb41bb97ce9ee02
Fixed
fcc4b966f1265f466e82617020af93670141b009

Affected versions

0.*

0.12.0-rc0
0.12.0-rc1
0.12.1
0.5.0
0.6.0

v0.*

v0.10.0
v0.10.0rc0
v0.11.0
v0.11.0rc0
v0.11.0rc1
v0.11.0rc2
v0.12.0
v0.7.0
v0.7.1
v0.8.0rc0
v0.9.0
v0.9.0rc0

v1.*

v1.0.0
v1.0.0-alpha
v1.0.0-rc0
v1.0.0-rc1
v1.0.0-rc2
v1.1.0
v1.1.0-rc0
v1.1.0-rc1
v1.1.0-rc2
v1.12.0
v1.12.0-rc0
v1.12.0-rc1
v1.12.0-rc2
v1.12.1
v1.2.0
v1.2.0-rc0
v1.2.0-rc1
v1.2.0-rc2
v1.3.0-rc0
v1.3.0-rc1
v1.5.0
v1.5.0-rc0
v1.5.0-rc1
v1.6.0
v1.6.0-rc0
v1.6.0-rc1
v1.7.0
v1.7.0-rc0
v1.7.0-rc1
v1.8.0
v1.8.0-rc0
v1.8.0-rc1
v1.9.0
v1.9.0-rc0
v1.9.0-rc1
v1.9.0-rc2

v2.*

v2.3.0
v2.3.0-rc0
v2.3.0-rc1
v2.3.0-rc2

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02",
        "target": {
            "file": "tensorflow/core/kernels/count_ops.cc"
        },
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2020-15200-9a90de26",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "194455449804247006546970132492779615094",
                "178731129031260204571627040095543599818",
                "22442231680206585208932878058814312758",
                "146741406298267783987235037807096346951",
                "270064729730618086481934325402793011741",
                "329344782668638107157103525047366598930",
                "285728407237300076804994927600394619637",
                "310080866930792095910778699557952768464",
                "273815884519049275176915647183401088747",
                "281569265756867032329963835068941296722",
                "59438575670218216172183450249341417337",
                "59397343641890017345404701263589996852",
                "43962453346651511293497165677412754359",
                "137531346914510616513168760830676577742"
            ],
            "threshold": 0.9
        }
    }
]