Identifier

CVE-2020-15193

Package Slug

pypi/tensorflow-cpu

Vulnerability

Use of Uninitialized Resource

Description

In Tensorflow, the implementation of dlpack.to_dlpack can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a reinterpret_cast Since the PyObject is a Python object, not a TensorFlow Tensor, the cast to EagerTensor fails.

Affected Versions

All versions starting from 2.2.0 up to 2.3.0

Solution

Upgrade to version 2.3.1 or above.

Last Modified

2020-10-08

source