CVE-2019-6446 (High) detected in numpy-1.15.1-cp37-cp37m-manylinux1_x86_64.whl

[mend-for-github-com]

CVE-2019-6446 - High Severity Vulnerability

Vulnerable Library - numpy-1.15.1-cp37-cp37m-manylinux1_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/1a/2e/4e298c92b1fced64a4414ada9af3253a91083b92b131c2b10c057c507982/numpy-1.15.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /src/pybind/mgr/diskprediction_local/requirements.txt

Path to vulnerable library: /src/pybind/mgr/diskprediction_local/requirements.txt,/src/pybind/rgw,/src/pybind/rbd

Dependency Hierarchy:

• ❌ numpy-1.15.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: aa78617d024ccd26801e43c6980f939cf8bded5f

Vulnerability Details

** DISPUTED ** An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.

Publish Date: 2019-01-16

URL: CVE-2019-6446

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1859

Release Date: 2019-10-01

Fix Resolution: 1.16.2