SCA: security update for tensorflow, tensorflow-cpu, tensorflow-gpu (GHSA-4g9f-63rx-5cw4)

medium Tenable Self-Hosted Container Security Plugin ID 410170

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `tf.raw_ops.Switch` operation
takes as input a tensor and a boolean and outputs two tensors. Depending on the boolean value, one of the
tensors is exactly the input tensor whereas the other one should be an empty tensor. However, the eager
runtime traverses all tensors in the output. Since only one of the tensors is defined, the other one is
`nullptr`, hence we are binding a reference to `nullptr`. This is undefined behavior and reported as an
error if compiling with `-fsanitize=null`. In this case, this results in a segmentation fault The issue is
patched in commit da8558533d925694483d2c136a9220d6d49d843c, and is released in TensorFlow versions 1.15.4,
2.0.3, 2.1.2, 2.2.1, or 2.3.1. (CVE-2020-15190)

See Also

https://github.com/advisories/GHSA-4g9f-63rx-5cw4

Plugin Details

Severity: Medium

ID: 410170

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2020-15190

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.3

Threat Score: 2.1

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/25/2020

Vulnerability Publication Date: 9/25/2020

Reference Information

CVE: CVE-2020-15190