漏洞标题
tensorflow中的 boosting 树中的 heap OOB
漏洞描述信息
TensorFlow 中提升树的堆溢出错误
CVSS信息
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
漏洞类别
N/A
漏洞标题
Heap OOB in boosted trees in TensorFlow
漏洞描述信息
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to `BoostedTreesSparseCalculateBestFeatureSplit`. The [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/boosted_trees/stats_ops.cc) needs to validate that each value in `stats_summary_indices` is in range. We have patched the issue in GitHub commit e84c975313e8e8e38bb2ea118196369c45c51378. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
CVSS信息
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
漏洞类别
跨界内存读
漏洞标题
Google TensorFlow 缓冲区错误漏洞
漏洞描述信息
Google TensorFlow是美国谷歌(Google)公司的一套用于机器学习的端到端开源平台。 Google TensorFlow 存在缓冲区错误漏洞,攻击者可以通过向"BoostedTreesSparseCalculateBestFeatureSplit"发送特制的非法参数,从堆分配数据的边界之外读取数据。以下产品及版本收到影响:TensorFlow 2.5.1、TensorFlow 2.4.3 和 TensorFlow 2.3.4。
CVSS信息
N/A
漏洞类别
缓冲区错误