CVE-2024-0937 — Deserialization of untrusted data in synthcity

描述

A vulnerability, which was classified as critical, has been found in van_der_Schaar LAB synthcity 0.2.9. Affected by this issue is the function load_from_file of the component PKL File Handler. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252182 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early and confirmed immediately the existence of the issue. A patch is planned to be released in February 2024.

如何修補 CVE-2024-0937

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

—未列出修補版本

CVE-2024-0937 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, <= 0.2.9

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-0937
PATCHgithub.com/vanderschaarlab/synthcity
WEBgithub.com/bayuncao/vul-cve-6
WEBgithub.com/vanderschaarlab/synthcity/blob/73cfd8ca784f70141fc7f2969221cd3b5737f7b1/src/synthcity/utils/serialization.py#L30