CVE-2019-6446

CRITICAL9.8EPSS 71.5%

Numpy Deserialization of Untrusted Data

Published: 5/24/2022Modified: 10/8/2024

Description

** DISPUTED ** An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.

Affected packages (2)

PyPI/numpyfrom 0, <= 1.16.0
PyPI/numpyfrom 0, < 1.16.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (16)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-6446
PATCHhttps://github.com/numpy/numpy
WEBhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00091.html
WEBhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00092.html
WEBhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00015.html
WEBhttps://access.redhat.com/errata/RHSA-2019:3335
WEBhttps://access.redhat.com/errata/RHSA-2019:3704
WEBhttps://bugzilla.suse.com/show_bug.cgi?id=1122208
WEBhttps://github.com/numpy/numpy/issues/12759
WEBhttps://github.com/numpy/numpy/pull/12889
WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/numpy/PYSEC-2019-108.yaml
WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ZZAYIQNUUYXGMKHSPEEXS4TRYFOUYE4
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/7ZZAYIQNUUYXGMKHSPEEXS4TRYFOUYE4
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/7ZZAYIQNUUYXGMKHSPEEXS4TRYFOUYE4/
WEBhttps://web.archive.org/web/20210124234613/https://www.securityfocus.com/bid/106670
WEBhttp://www.securityfocus.com/bid/106670