Remote code execution in NumPy module for Python

Published: 2019-01-21 09:34:50 | Updated: 2019-06-21
Severity High
Patch available NO
Number of vulnerabilities 1
CVE ID CVE-2019-6446
CVSSv3 9.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C]
CWE ID CWE-77
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software Numpy
Vulnerable software versions Numpy 1.16.0
Vendor URL Numpy

Security Advisory

1) Command injection

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to the unsafe use of the pickle Python module. A remote attacker can trick the victim into loading malicious content with the affected application on a targeted system by using misleading language and instructions that allows to execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Cybersecurity Help is currently unaware of any official solution to address the vulnerability.

External links

https://github.com/numpy/numpy/issues/12759