Miggo Logo
Miggo Vulnerability Database
CVE-2018-7577

CVE-2018-7577: Improper Input Validation in Google TensorFlow

8.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-7577
GHSA ID
GHSA-qx2v-j445-g354
EPSS Score
0.38417%
CWE
CWE-20
Published
4/30/2019
Updated
10/28/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
tensorflowpip>= 1.1.0, < 1.7.11.7.1
tensorflow-gpupip>= 1.1.0, < 1.7.11.7.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Google's Snappy library (v1.1.4) used by TensorFlow, not from TensorFlow's own code. The patch shows TensorFlow addressed this by upgrading the Snappy dependency to v1.1.7. The root cause was in Snappy's implementation of memory handling (memcpy with overlapping parameters), but:

  1. The provided diffs only show dependency version changes and build configuration updates
  2. No TensorFlow-specific functions are modified in the patch
  3. The vulnerability manifests through usage of Snappy's compression functions, but the exact vulnerable functions belong to Snappy's internal implementation
  4. There's no evidence of vulnerable TensorFlow code patterns in the provided commit/patch data Without access to Snappy's internal function-level changes between 1.1.4 and 1.1.7, we can't confidently identify specific vulnerable functions within the TensorFlow codebase itself.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*m*py p*r*m*t*r ov*rl*p in *oo*l* Sn*ppy li*r*ry *.*.*, *s us** in *oo*l* T*nsor*low ***or* *.*.*, *oul* r*sult in * *r*s* or r*** *rom ot**r p*rts o* pro**ss m*mory.

Reasoning

T** vuln*r**ility st*ms *rom *oo*l*'s Sn*ppy li*r*ry (v*.*.*) us** *y T*nsor*low, not *rom T*nsor*low's own *o**. T** p*t** s*ows T*nsor*low ***r*ss** t*is *y up*r**in* t** Sn*ppy **p*n**n*y to v*.*.*. T** root **us* w*s in Sn*ppy's impl*m*nt*tion o*