SCA: security update for tensorflow, tensorflow-cpu, tensorflow-gpu (GHSA-h6jh-7gv5-28vg)

medium Tenable Self-Hosted Container Security Plugin ID 415526

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- TensorFlow is an end-to-end open source platform for machine learning. In affected versions the
implementation of `tf.raw_ops.StringNGrams` is vulnerable to an integer overflow issue caused by
converting a signed integer value to an unsigned one and then allocating memory based on this value. The [
implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/ten
sorflow/core/kernels/string_ngrams_op.cc#L184) calls `reserve` on a `tstring` with a value that sometimes
can be negative if user supplies negative `ngram_widths`. The `reserve` method calls `TF_TString_Reserve`
which has an `unsigned long` argument for the size of the buffer. Hence, the implicit conversion
transforms the negative value to a large integer. We have patched the issue in GitHub commit
c283e542a3f422420cfdb332414543b62fc4e4a5. The fix will be included in TensorFlow 2.6.0. We will also
cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also
affected and still in supported range. (CVE-2021-37646)

See Also

https://github.com/advisories/GHSA-h6jh-7gv5-28vg

Plugin Details

Severity: Medium

ID: 415526

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2021-37646

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.8

Threat Score: 4.3

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/25/2021

Vulnerability Publication Date: 8/12/2021

Reference Information

CVE: CVE-2021-37646

cwe: CWE-681