CVE-2018-7577: Input Validation
First published: Wed Apr 24 2019(Updated: )
Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Google Snappy | =1.1.4 | |
| Google TensorFlow | <1.7.1 | |
| pip/tensorflow-gpu | >=1.1.0<1.7.1 | 1.7.1 |
| pip/tensorflow | >=1.1.0<1.7.1 | 1.7.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-005.md
- https://nvd.nist.gov/vuln/detail/CVE-2018-7577
- https://github.com/tensorflow/tensorflow/commit/dfa9921e6343727b05f42f8d4a918b19528ff994
- https://github.com/advisories/GHSA-qx2v-j445-g354 (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2019-225.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2019-232.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2019-207.yaml
Frequently Asked Questions
What is the severity of CVE-2018-7577?
CVE-2018-7577 has a medium severity level due to its potential to cause a crash or read from other parts of process memory.
How do I fix CVE-2018-7577?
To mitigate CVE-2018-7577, upgrade Google Snappy to version 1.1.4 or higher or TensorFlow to version 1.7.1 or later.
Which versions of TensorFlow are affected by CVE-2018-7577?
CVE-2018-7577 affects all TensorFlow versions prior to 1.7.1.
Can CVE-2018-7577 cause data leaks?
Yes, CVE-2018-7577 can potentially lead to unauthorized read access to other parts of process memory, resulting in data leaks.
Is the Google Snappy library vulnerable in versions before 1.1.4?
No, only Google Snappy version 1.1.4 is specifically identified as vulnerable in CVE-2018-7577.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/softwarecombine
- agent/severity
- agent/event
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-qx2v-j445-g354
- alias/CVE-2018-7577
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/pip
- vendor/google
- canonical/google snappy
- version/google snappy/1.1.4
- canonical/google tensorflow