CVE-2020-15265 : What You Need to Know

In Tensorflow before version 2.4.0, an attacker can pass an invalid

axis

value to

tf.quantization.quantize_and_dequantize

, leading to a segfault and out-of-bounds access in the C++ kernel implementation. This CVE has a CVSS base score of 5.9.

Understanding CVE-2020-15265

What is CVE-2020-15265?

CVE-2020-15265 is a vulnerability in Tensorflow versions prior to 2.4.0 that allows an attacker to trigger a segfault by passing an invalid

axis

value.

The Impact of CVE-2020-15265

The vulnerability has a medium severity base score of 5.9, with high availability impact due to the potential for a denial of service (DoS) attack.

Technical Details of CVE-2020-15265

Vulnerability Description

An attacker can exploit an out-of-bounds read vulnerability by passing an invalid

axis

value to

tf.quantization.quantize_and_dequantize

in Tensorflow.

Affected Systems and Versions

Product: Tensorflow
Vendor: Tensorflow
Versions Affected: < 2.4.0

Exploitation Mechanism

By passing an invalid

axis

value, the attacker can trigger a segfault in the C++ kernel implementation, leading to out-of-bounds access.

Mitigation and Prevention

Immediate Steps to Take

Update Tensorflow to version 2.4.0 or later to apply the patch.
Avoid passing invalid values to

tf.quantization.quantize_and_dequantize

.

Long-Term Security Practices

Regularly update software to the latest versions to address known vulnerabilities.
Implement secure coding practices to prevent out-of-bounds access.

Patching and Updates

The issue is patched in commit eccb7ec454e6617738554a255d77f08e60ee0808.