SCA: security update for tensorflow, tensorflow-cpu, tensorflow-gpu (GHSA-mxjj-953w-2c2v)

high Tenable Cloud Security Plugin ID 417197

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common
dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes.
Since the function always returns the dimension of the first tensor, malicious attackers can craft cases
where this is larger than that of the second tensor. In turn, this would result in reads/writes outside of
bounds since the interpreter will wrongly assume that there is enough data in both tensors. The issue is
patched in commit 8ee24e7949a203d234489f9da2c5bf45a7d5157d, and is released in TensorFlow versions 1.15.4,
2.0.3, 2.1.2, 2.2.1, or 2.3.1. (CVE-2020-15208)

See Also

https://github.com/advisories/GHSA-mxjj-953w-2c2v

Plugin Details

Severity: High

ID: 417197

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-15208

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.6

Threat Score: 7.3

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/25/2020

Vulnerability Publication Date: 9/25/2020

Reference Information

CVE: CVE-2020-15208