#VU35954 Input validation error in TensorFlow - CVE-2018-7577

Cybersecurity Help s.r.o.

Published: 2019-04-24 | Updated: 2020-08-08

Vulnerability identifier: #VU35954

Vulnerability risk: High

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-7577

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
TensorFlow
Server applications / Other server solutions

Vendor: TensorFlow

Description

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory.

Mitigation
Install update from vendor's website.

Vulnerable software versions

TensorFlow: 1.7.0

External links
https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-005.md

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in TensorFlow