scikit-learn (aka sklearn) through 0.23.0 can unserialize and execute commands from an untrusted file that is passed to the joblib.load() function, if __reduce__ makes an os.system call. NOTE: third parties dispute this issue because the joblib.load() function is documented as unsafe and it is the user's responsibility to use the function in a secure manner
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2020-05-15T18:41:33
Updated: 2024-08-04T12:11:18.980Z
Reserved: 2020-05-15T00:00:00
Link: CVE-2020-13092
Vulnrichment
No data.
NVD
Status : Modified
Published: 2020-05-15T19:15:12.277
Modified: 2024-11-21T05:00:39.113
Link: CVE-2020-13092
Redhat
No data.