Identifier

CVE-2020-15197

Package Slug

pypi/tensorflow-cpu

Vulnerability

Improper Input Validation

Description

In Tensorflow, the SparseCountSparseOutput implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the indices tensor has rank This tensor must be a matrix because code assumes its elements are accessed as elements of a matrix. However, malicious users can pass in tensors of different rank, resulting in a CHECK assertion failure and a crash. This can be used to cause denial of service in serving installations, if users are allowed to control the components of the input sparse tensor.

Affected Versions

Version 2.3.0

Solution

Upgrade to version 2.3.1 or above.

Last Modified

2020-10-05

source