Bug 2281993 (CVE-2024-34997) - CVE-2024-34997 python-joblib: Deserialization vulnerability via joblib.numpy_pickle::NumpyArrayWrapper().read_array()
Summary: CVE-2024-34997 python-joblib: Deserialization vulnerability via joblib.numpy_...
Keywords:
Status: NEW
Alias: CVE-2024-34997
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2281994 2281996
Blocks: 2281997
TreeView+ depends on / blocked
 
Reported: 2024-05-20 18:07 UTC by Pedro Sampaio
Modified: 2025-04-01 08:28 UTC (History)
15 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2024-05-20 18:07:44 UTC 
joblib v1.4.2 was discovered to contain a deserialization vulnerability via the component joblib.numpy_pickle::NumpyArrayWrapper().read_array().

References:

https://github.com/joblib/joblib/issues/1582
https://github.com/joblib/joblib/pull/1585

Ps.: Issue with pickle lib is well known and warned about upstream:

https://docs.python.org/3.11//library/pickle.html

So no fix planned for this upstream. CVE was assigned by Debian, dispute/rejection requestes should e directed there.
Comment 1 Pedro Sampaio 2024-05-20 18:07:59 UTC 
Created python-joblib tracking bugs for this issue:

Affects: fedora-all [bug 2281994]
Comment 2 Pedro Sampaio 2024-05-20 18:19:21 UTC 
Created python-mne tracking bugs for this issue:

Affects: fedora-all [bug 2281996]
Note You need to log in before you can comment on or make changes to this bug.