Remote Code Execution (RCE)

Affecting scikit-learn package, versions [0,]

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

scikit-learn is a Python module for machine learning built on top of SciPy and is distributed under the 3-Clause BSD license.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). It can unserialize and execute commands from an untrusted file that is passed to the joblib.load() function, if __reduce__ makes an os.system call.

Remediation

There is no fixed version for scikit-learn.

References

CVSS Score

9.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
0FuzzingQ
CVE
CVE-2020-13092
CWE
CWE-94
Snyk ID
SNYK-PYTHON-SCIKITLEARN-569144
Disclosed
15 May, 2020
Published
17 May, 2020