PT-2019-1615 · Numpy+6 · Numpy+6
Nanshihui
·
Publicado
2019-01-16
·
Atualizado
2025-09-29
·
CVE-2019-6446
CVSS v3.1
10
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
NumPy versions 1.16.0 and earlier
Description
An issue was discovered in NumPy where it uses the pickle Python module unsafely. This allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. The issue is disputed by third parties because it might have legitimate applications in loading serialized Python object arrays from trusted and authenticated sources.
Recommendations
For NumPy versions 1.16.0 and earlier, consider avoiding the use of the pickle Python module or restricting the loading of serialized objects to trusted sources until a fix is available. As a temporary workaround, consider disabling the use of numpy.load for untrusted sources. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
RCE
Deserialization of Untrusted Data
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Almalinux
Centos
Numpy
Red Hat
Rocky Linux
Suse
Pickle