Remote Code Execution (RCE) The advisory has been revoked - it doesn't affect any version of package scikit-learn Open this link in a new tab
Threat Intelligence
EPSS
1% (84th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-SCIKITLEARN-569144
- published 17 May 2020
- disclosed 15 May 2020
- credit 0FuzzingQ
Introduced: 15 May 2020
CVE-2020-13092 Open this link in a new tabAmendment
This was deemed not a vulnerability.
Overview
scikit-learn is a Python module for machine learning built on top of SciPy and is distributed under the 3-Clause BSD license.
Affected versions of this package are vulnerable to Remote Code Execution (RCE). It can unserialize and execute commands from an untrusted file that is passed to the joblib.load()
function, if __reduce__
makes an os.system call.