SCA: security update for tensorflow, tensorflow-cpu, tensorflow-gpu (GHSA-h6fg-mjxg-hqq4)

high Tenable Self-Hosted Container Security Plugin ID 415520

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `Shard` API in TensorFlow expects
the last argument to be a function taking two `int64` (i.e., `long long`) arguments. However, there are
several places in TensorFlow where a lambda taking `int` or `int32` arguments is being used. In these
cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on
how the two arguments of the lambda are used, this can result in segfaults, read/write outside of heap
allocated arrays, stack overflows, or data corruption. The issue is patched in commits
27b417360cbd671ef55915e4bb6bb06af8b8a832 and ca8c013b5e97b1373b3bb1c97ea655e69f31a575, and is released in
TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. (CVE-2020-15202)

See Also

https://github.com/advisories/GHSA-h6fg-mjxg-hqq4

Plugin Details

Severity: High

ID: 415520

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.11

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-15202

CVSS v3

Risk Factor: Critical

Base Score: 9

Temporal Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.1

Threat Score: 5.2

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/25/2020

Vulnerability Publication Date: 9/25/2020

Reference Information

CVE: CVE-2020-15202