SCA: security update for tensorflow, tensorflow-cpu, tensorflow-gpu (GHSA-2r8p-fg3c-wcj4)

high Tenable Self-Hosted Container Security Plugin ID 409066

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker
can trigger a crash via a `CHECK`-fail in debug builds of TensorFlow using `tf.raw_ops.ResourceGather` or
a read from outside the bounds of heap allocated data in the same API in a release build. The [implementat
ion](https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/cor
e/kernels/resource_variable_ops.cc#L660-L668) does not check that the `batch_dims` value that the user
supplies is less than the rank of the input tensor. Since the implementation uses several for loops over
the dimensions of `tensor`, this results in reading data from outside the bounds of heap allocated buffer
backing the tensor. We have patched the issue in GitHub commit bc9c546ce7015c57c2f15c168b3d9201de679a1d.
The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1,
TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
(CVE-2021-37654)

See Also

https://github.com/advisories/GHSA-2r8p-fg3c-wcj4

Plugin Details

Severity: High

ID: 409066

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Low

Base Score: 3.6

Temporal Score: 2.7

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:P

CVSS Score Source: CVE-2021-37654

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7

Threat Score: 4.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/25/2021

Vulnerability Publication Date: 8/12/2021

Reference Information

CVE: CVE-2021-37654

cwe: CWE-125