scikit-learn (aka sklearn) through 0.23.0 can unserialize and execute commands from an untrusted file that is passed to the joblib.load() function, if __reduce__ makes an os.system call. NOTE: third parties dispute this issue because the joblib.load() function is documented as unsafe and it is the user's responsibility to use the function in a secure manner
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-05-15T18:41:33

Updated: 2024-08-04T12:11:18.980Z

Reserved: 2020-05-15T00:00:00

Link: CVE-2020-13092

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-05-15T19:15:12.277

Modified: 2024-11-21T05:00:39.113

Link: CVE-2020-13092

cve-icon Redhat

No data.