PT-2024-27278 · Unknown · Ydata-Profiling

Published

2024-06-04

Updated

2024-06-04

CVE-2024-37062

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ydata-profiling versions 3.7.0 or newer

Description The issue allows deserialization of untrusted data, enabling a maliciously crafted report to run arbitrary code on an end user's system when loaded. This occurs due to the deserialization of untrusted data in the ydata-profiling open-source library.

Recommendations For versions 3.7.0 or newer, consider disabling the deserialization of untrusted data as a temporary workaround until a patch is available. Restrict access to potentially malicious reports to minimize the risk of exploitation. Avoid loading untrusted reports in the affected library until the issue is resolved.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2024-37062

GHSA-FPVJ-M2H6-6WC5

Affected Products

Ydata-Profiling

PT-2024-27278 · Unknown · Ydata-Profiling

CVE-2024-37062

Weakness Enumeration

Related Identifiers

Affected Products

References · 5