Command injection in Numpy - CVE-2019-6446
Published: January 21, 2019 / Updated: March 24, 2022
Vulnerability identifier: #VU17095
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2019-6446
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Numpy
Affected software:
Numpy
Numpy
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to the unsafe use of the pickle Python module. A remote attacker can trick the victim into loading malicious content with the affected application on a targeted system by using misleading language and instructions that allows to execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2019-6446
Install update from vendor's website.