CVE-2024-29032
MEDIUMQiskit Ibm Runtime < 0.21.2 - Insecure Deserialization
Title source: ruleDescription
Qiskit IBM Runtime is an environment that streamlines quantum computations and provides optimal implementations of the Qiskit quantum computing SDK. Starting in version 0.1.0 and prior to version 0.21.2, deserializing json data using `qiskit_ibm_runtime.RuntimeDecoder` can lead to arbitrary code execution given a correctly formatted input string. Version 0.21.2 contains a fix for this issue.
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/Qiskit/qiskit-ibm-runtime/security/advisories/GHSA-x4x5-jv3x-9c7m
Issue Tracking x_refsource_misc
https://github.com/Qiskit/qiskit-ibm-runtime/commit/b78fca114133051805d00043a404b25a33835f4d
Scores
CVSS v3
5.3
EPSS
0.0007
EPSS Percentile
21.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (2)
ibm/qiskit_ibm_runtime
0.1.0 - 0.21.2
pypi/qiskit-ibm-runtime
0.1.0 - 0.21.2PyPI
Published
Mar 20, 2024
Tracked Since
Feb 18, 2026