CVE-2024-29032

MEDIUM

Qiskit Ibm Runtime < 0.21.2 - Insecure Deserialization

Title source: rule

Description

Qiskit IBM Runtime is an environment that streamlines quantum computations and provides optimal implementations of the Qiskit quantum computing SDK. Starting in version 0.1.0 and prior to version 0.21.2, deserializing json data using `qiskit_ibm_runtime.RuntimeDecoder` can lead to arbitrary code execution given a correctly formatted input string. Version 0.21.2 contains a fix for this issue.

References (3)

[Issue Tracking] https://github.com/Qiskit/qiskit-ibm-runtime/blob/16e90f475e78a9d2ae77daa139ef750cfa84ca82/qiskit_ibm_runtime/utils/json.py#L156-L159

[Issue Tracking] https://github.com/Qiskit/qiskit-ibm-runtime/commit/b78fca114133051805d00043a404b25a33835f4d

View Writeup ZIP pw:eip

[Exploit, Vendor Advisory] https://github.com/Qiskit/qiskit-ibm-runtime/security/advisories/GHSA-x4x5-jv3x-9c7m

Scores

CVSS v3 5.3

EPSS 0.0006

EPSS Percentile 18.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-502

Status published

Affected Products (2)

ibm/qiskit_ibm_runtime < 0.21.2

pypi/qiskit-ibm-runtime < 0.21.2PyPI

Timeline

Published Mar 20, 2024

Tracked Since Feb 18, 2026