Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM803324ED2DE4C3B08F169DF45DEBE6C1EA9A8B7E1AAC50635272FEDA912303A5
HistoryFeb 27, 2021 - 3:40 a.m.

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in TensorFlow

2021-02-2703:40:09
www.ibm.com
16
ibm watson discovery
cloud pak
tensorflow
vulnerability
denial of service
sensitive information

EPSS

0.002

Percentile

56.9%

JSON

Summary

IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of TensorFlow .

Vulnerability Details

CVEID:CVE-2020-26270
**DESCRIPTION:**TensorFlow is vulnerable to a denial of service, caused by a query-of-death flaw when running an LSTM/GRU model. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to causes a CHECK failure when using the CUDA backend.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193281 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-26266
**DESCRIPTION:**TensorFlow could allow a local authenticated attacker to obtain sensitive information, caused by an uninitialized memory access flaw in Eigen types during code execution. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information from the memory, or cause the system to crash.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193277 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L)

CVEID:CVE-2020-26269
**DESCRIPTION:**TensorFlow is vulnerable to a denial of service, caused by an out-of-bounds read flaw in the general implementation for matching filesystem paths to globbing pattern. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to causes the system to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193280 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-26268
**DESCRIPTION:**TensorFlow is vulnerable to a denial of service, caused by a modification of assumed-immutable data issue. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to causes a segmentation fault.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193279 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L)

CVEID:CVE-2020-26271
**DESCRIPTION:**TensorFlow could allow a local authenticated attacker to obtain sensitive information, caused by an uninitialized memory access flaw while building the computation graph. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information from the memory, and use this information to launch further attacks against the affected system.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193282 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2020-26267
**DESCRIPTION:**TensorFlow could allow a local authenticated attacker to obtain sensitive information, caused by an out-of-bounds read flaw when validating the src_format and dst_format attributes by the tf.raw_ops.DataFormatVecPermute API. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information from the memory, or cause the system to crash.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193278 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-15265
**DESCRIPTION:**Tensorflow is vulnerable to a denial of service, caused by a segfault in tf.quantization.quantize_and_dequantize. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190507 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-15266
**DESCRIPTION:**Tensorflow is vulnerable to a denial of service, caused by a segfault in tf.image.crop_and_resize. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190506 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
ICP - Discovery 2.0.0-2.2.0

Remediation/Fixes

Upgrade to IBM Watson Discovery 2.2.1

<https://cloud.ibm.com/docs/discovery-data?topic=discovery-data-install&gt;

Workarounds and Mitigations

None

Related

archlinux 1
ibm 4
osv 48
prion 8
cvelist 8
github 8
veracode 9
nvd 8
cve 8
suse 1
nessus 1
archlinux
archlinux
[ASA-202012-22] tensorflow: multiple issues
2020-12-16 00:00:00
ibm
ibm
Security Bulletin: Multiple TensorFlow Vulnerabilities Affect IBM Watson Machine Learning on CP4D
2021-07-30 05:03:02
Security Bulletin: TensorFlow in Watson Machine Learning Community Edition 1.6.2 and 1.7.0 has been patched for various security issues.
2021-02-04 22:54:56
Security Bulletin: TensorFlow in Watson Machine Learning Community Edition 1.6.2 and 1.7.0 has been patched for various security issues.
2021-02-04 23:37:49
osv
osv
CVE-2020-26267
2020-12-10 23:15:12
Lack of validation in data format attributes in TensorFlow
2020-12-10 19:07:26
CHECK-fail in LSTM with zero-length input in TensorFlow
2020-12-10 19:07:31
prion
prion
Design/Logic Flaw
2020-10-21 21:15:00
Out-of-bounds
2020-12-10 23:15:00
Input validation
2020-12-10 23:15:00
cvelist
cvelist
CVE-2020-26269 Heap out of bounds read in filesystem glob matching in TensorFlow
2020-12-10 22:10:28
CVE-2020-26270 CHECK-fail in LSTM with zero-length input in TensorFlow
2020-12-10 22:10:23
CVE-2020-26268 Write to immutable memory region in TensorFlow
2020-12-10 22:10:35
github
github
TensorFlow vulnerable to heap out of bounds read in filesystem glob matching
2022-10-07 07:22:33
Heap out of bounds access in MakeEdge in TensorFlow
2020-12-10 19:07:34
Float cast overflow undefined behavior
2020-11-13 17:18:29
veracode
veracode
Denial Of Service (DoS)
2020-12-14 04:08:38
Denial Of Service (DoS)
2020-12-11 03:20:12
Denial Of Service (DoS)
2020-12-11 03:29:33
nvd
nvd
CVE-2020-15266
2020-10-21 21:15:12
CVE-2020-26269
2020-12-10 23:15:12
CVE-2020-26271
2020-12-10 22:15:12
cve
cve
CVE-2020-15266
2020-10-21 21:15:12
CVE-2020-26268
2020-12-10 23:15:12
CVE-2020-26270
2020-12-10 23:15:12
suse
suse
Security update for tensorflow2 (moderate)
2022-06-18 00:00:00
nessus
nessus
openSUSE 15 Security Update : tensorflow2 (openSUSE-SU-2022:10014-1)
2022-06-19 00:00:00

EPSS

0.002

Percentile

56.9%

JSON
Related for 803324ED2DE4C3B08F169DF45DEBE6C1EA9A8B7E1AAC50635272FEDA912303A5
archlinux1ibm4osv48prion8cvelist8github8veracode9nvd8cve8suse1nessus1