CVE-2024-34997

2024-05-1719:15:07

Debian Security Bug Tracker

security-tracker.debian.org

joblib vulnerability deserialization unix numpyarraywrapper

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

Percentile

9.0%

JSON

joblib v1.4.2 was discovered to contain a deserialization vulnerability via the component joblib.numpy_pickle::NumpyArrayWrapper().read_array(). NOTE: this is disputed by the supplier because NumpyArrayWrapper is only used during caching of trusted content.

OSVersionArchitecturePackageVersionFilename
Debian12alljoblib<= 1.2.0-4joblib_1.2.0-4_all.deb
Debian11alljoblib<= 0.17.0-4+deb11u1joblib_0.17.0-4+deb11u1_all.deb
Debian999alljoblib<= 1.3.2-3joblib_1.3.2-3_all.deb
Debian13alljoblib<= 1.3.2-2joblib_1.3.2-2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	joblib	<= 1.2.0-4	joblib_1.2.0-4_all.deb
Debian	11	all	joblib	<= 0.17.0-4+deb11u1	joblib_0.17.0-4+deb11u1_all.deb
Debian	999	all	joblib	<= 1.3.2-3	joblib_1.3.2-3_all.deb
Debian	13	all	joblib	<= 1.3.2-2	joblib_1.3.2-2_all.deb