CVE-2019-6446

CRITICAL

Numpy < 1.16.0 - Insecure Deserialization

Title source: rule

Description

An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.

Exploits (1)

nomisec WORKING POC 3 stars

by RayScri · poc

https://github.com/RayScri/CVE-2019-6446

View Code ZIP pw:eip

References (13)

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00091.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00092.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00015.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/106670

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2019:3335

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2019:3704

[Exploit, Issue Tracking, Third Party Advisory] https://bugzilla.suse.com/show_bug.cgi?id=1122208

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/numpy/numpy/issues/12759

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/7ZZAYIQNUUYXGMKHSPEEXS4TRYFOUYE4/

[Patch] https://github.com/numpy/numpy/commit/89b688732b37616c9d26623f81aaee1703c30ffb

[Issue Tracking] https://github.com/numpy/numpy/pull/12889

[Issue Tracking] https://github.com/numpy/numpy/pull/13359

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ZZAYIQNUUYXGMKHSPEEXS4TRYFOUYE4/

Scores

CVSS v3 9.8

EPSS 0.5160

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (3)

numpy/numpy < 1.16.0

fedoraproject/fedora

pypi/numpy PyPI

Timeline

Published Jan 16, 2019

Tracked Since Feb 18, 2026