Incomplete string comparison in the numpy.core component in NumPy1.9.x, which allows attackers to fail the APIs via constructing specific string objects. Reference: https://github.com/numpy/numpy/issues/18993
Created python2-numpy tracking bugs for this issue: Affects: epel-7 [bug 2035033]
The flaw presented here is the result of an incomplete string comparison when checking numeric style typecode as the terminator was not considered. While the string comparison flaw can result in API failure in numpy and impact availability, the flaw is unable to result in code execution or compromise confidentiality or integrity of the system. As such the NVD CVSS should be revised to 7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
The check is used to determine if a deprecation warning should be emitted or not. How is this a security issue? What does "fail the APIs" even mean?
I'm concerned that the only tracking bug created in the "Affects" section is for a package that exists only to depend on another package and has no actual code. Perhaps there is something I cannot see since all of the other bugs in the dependency chain are inaccessible to me, but if not then it looks like the bug wasn't filed against the proper package.