AI Threat Alert
CVE-2020-15192
MEDIUMIn Tensorflow before versions 2.2.1 and 2.3.1, if a user passes a list of strings to `dlpack.to_dlpack` there is a memory leak following an expected validation failure. The issue occurs because the...
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| tensorflow | pip | — | No patch |
| tensorflow | pip | — | No patch |
| leap | — | — | No patch |
Severity & Risk
Recommended Action
No patch available
Monitor for updates. Consider compensating controls or temporary mitigations.
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes a list of strings to `dlpack.to_dlpack` there is a memory leak following an expected validation failure. The issue occurs because the `status` argument during validation failures is not properly checked. Since each of the above methods can return an error status, the `status` value must be checked before continuing. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L References
- lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html Mailing List 3rd Party
- github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8 Patch 3rd Party
- github.com/tensorflow/tensorflow/releases/tag/v2.3.1 3rd Party
- github.com/tensorflow/tensorflow/security/advisories/GHSA-8fxw-76px-3rxv Exploit 3rd Party
- lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html Mailing List 3rd Party
- github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8 Patch 3rd Party
- github.com/tensorflow/tensorflow/releases/tag/v2.3.1 3rd Party
- github.com/tensorflow/tensorflow/security/advisories/GHSA-8fxw-76px-3rxv Exploit 3rd Party