Miggo Logo

CVE-2020-15210: Segmentation fault in tensorflow-lite

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.55337%
Published
9/25/2020
Updated
10/28/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
tensorflowpip< 1.15.41.15.4
tensorflowpip>= 2.0.0, < 2.0.32.0.3
tensorflowpip>= 2.1.0, < 2.1.22.1.2
tensorflowpip= 2.2.02.2.1
tensorflowpip= 2.3.02.3.1
tensorflow-cpupip< 1.15.41.15.4
tensorflow-cpupip>= 2.0.0, < 2.0.32.0.3
tensorflow-cpupip>= 2.1.0, < 2.1.22.1.2
tensorflow-cpupip= 2.2.02.2.1
tensorflow-gpupip< 1.15.41.15.4
tensorflow-gpupip>= 2.0.0, < 2.0.32.0.3
tensorflow-gpupip>= 2.1.0, < 2.1.22.1.2
tensorflow-gpupip= 2.2.02.2.1
tensorflow-cpupip= 2.3.02.3.1
tensorflow-gpupip= 2.3.02.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing input/output overlap checks in the node creation process. The commit d58c96946b introduced CheckInputAndOutputForOverlap() and called it from AddNodeWithParameters() for built-in ops. In vulnerable versions, this critical validation was absent in AddNodeWithParameters, allowing dangerous tensor reuse. The function's direct role in operator configuration and the explicit addition of validation in the patch confirm its vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t I* * T*Lit* s*v** mo**l us*s t** s*m* t*nsor *s *ot* input *n* output o* *n op*r*tor, t**n, **p*n*in* on t** op*r*tor, w* **n o*s*rv* * s**m*nt*tion **ult or just m*mory *orruption. ### P*t***s W* **v* p*t**** t** issu* in ********** *n*

Reasoning

T** vuln*r**ility st*ms *rom missin* input/output ov*rl*p ****ks in t** no** *r**tion `pro**ss`. T** *ommit ********** intro*u*** `****kInput*n*Output*orOv*rl*p()` *n* **ll** it *rom `***No**Wit*P*r*m*t*rs()` *or *uilt-in ops. In vuln*r**l* v*rsions,