CVE-2020-28975 - OpenCVE

svm_predict_values in svm.cpp in Libsvm v324, as used in scikit-learn 0.23.2 and other products, allows attackers to cause a denial of service (segmentation fault) via a crafted model SVM (introduced via pickle, json, or any other model permanence standard) with a large value in the _n_support array. NOTE: the scikit-learn vendor's position is that the behavior can only occur if the library's API is violated by an application that changes a private attribute.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Scikit-learn	Scikit-learn

Configuration 1 [-]

cpe:2.3:a:scikit-learn:scikit-learn:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/160281/SciKit-Learn-0.23.2-Denial-Of-Service.html
http://seclists.org/fulldisclosure/2020/Nov/44
https://github.com/cjlin1/libsvm/blob/9a3a9708926dec87d382c43b203f2ca19c2d56a0/svm.cpp#L2501
https://github.com/scikit-learn/scikit-learn/commit/1bf13d567d3cd74854aa8343fd25b61dd768bb85
https://github.com/scikit-learn/scikit-learn/issues/18891
https://security.gentoo.org/glsa/202301-03

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-11-21T00:00:00

Updated: 2024-08-04T16:48:01.573Z

Reserved: 2020-11-21T00:00:00

Link: CVE-2020-28975

Vulnrichment

Updated: 2024-08-04T16:48:01.573Z

NVD

Status : Modified

Published: 2020-11-21T21:15:10.680

Modified: 2024-08-04T17:15:44.607

Link: CVE-2020-28975

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-28975", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-04T16:48:01.573Z", "dateReserved": "2020-11-21T00:00:00", "datePublished": "2020-11-21T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-01-11T00:00:00"}, "descriptions": [{"lang": "en", "value": "svm_predict_values in svm.cpp in Libsvm v324, as used in scikit-learn 0.23.2 and other products, allows attackers to cause a denial of service (segmentation fault) via a crafted model SVM (introduced via pickle, json, or any other model permanence standard) with a large value in the _n_support array. NOTE: the scikit-learn vendor's position is that the behavior can only occur if the library's API is violated by an application that changes a private attribute."}], "tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/scikit-learn/scikit-learn/issues/18891"}, {"url": "https://github.com/cjlin1/libsvm/blob/9a3a9708926dec87d382c43b203f2ca19c2d56a0/svm.cpp#L2501"}, {"name": "20201130 scikit-learn 0.23.2 Local Denial of Service", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2020/Nov/44"}, {"url": "http://packetstormsecurity.com/files/160281/SciKit-Learn-0.23.2-Denial-Of-Service.html"}, {"url": "https://github.com/scikit-learn/scikit-learn/commit/1bf13d567d3cd74854aa8343fd25b61dd768bb85"}, {"name": "GLSA-202301-03", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202301-03"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-26T20:03:17.341405Z", "id": "CVE-2020-28975", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-26T20:03:29.403Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:48:01.573Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/scikit-learn/scikit-learn/issues/18891", "tags": ["x_transferred"]}, {"url": "https://github.com/cjlin1/libsvm/blob/9a3a9708926dec87d382c43b203f2ca19c2d56a0/svm.cpp#L2501", "tags": ["x_transferred"]}, {"name": "20201130 scikit-learn 0.23.2 Local Denial of Service", "tags": ["mailing-list", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2020/Nov/44"}, {"url": "http://packetstormsecurity.com/files/160281/SciKit-Learn-0.23.2-Denial-Of-Service.html", "tags": ["x_transferred"]}, {"url": "https://github.com/scikit-learn/scikit-learn/commit/1bf13d567d3cd74854aa8343fd25b61dd768bb85", "tags": ["x_transferred"]}, {"name": "GLSA-202301-03", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202301-03"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/scikit-learn/scikit-learn/issues/18891", "tags": ["x_transferred"]}, {"url": "https://github.com/cjlin1/libsvm/blob/9a3a9708926dec87d382c43b203f2ca19c2d56a0/svm.cpp#L2501", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2020/Nov/44", "name": "20201130 scikit-learn 0.23.2 Local Denial of Service", "tags": ["mailing-list", "x_transferred"]}, {"url": "http://packetstormsecurity.com/files/160281/SciKit-Learn-0.23.2-Denial-Of-Service.html", "tags": ["x_transferred"]}, {"url": "https://github.com/scikit-learn/scikit-learn/commit/1bf13d567d3cd74854aa8343fd25b61dd768bb85", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202301-03", "name": "GLSA-202301-03", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:48:01.573Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-28975", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-26T20:03:17.341405Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-26T20:03:25.746Z"}}], "cna": {"tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/scikit-learn/scikit-learn/issues/18891"}, {"url": "https://github.com/cjlin1/libsvm/blob/9a3a9708926dec87d382c43b203f2ca19c2d56a0/svm.cpp#L2501"}, {"url": "http://seclists.org/fulldisclosure/2020/Nov/44", "name": "20201130 scikit-learn 0.23.2 Local Denial of Service", "tags": ["mailing-list"]}, {"url": "http://packetstormsecurity.com/files/160281/SciKit-Learn-0.23.2-Denial-Of-Service.html"}, {"url": "https://github.com/scikit-learn/scikit-learn/commit/1bf13d567d3cd74854aa8343fd25b61dd768bb85"}, {"url": "https://security.gentoo.org/glsa/202301-03", "name": "GLSA-202301-03", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "svm_predict_values in svm.cpp in Libsvm v324, as used in scikit-learn 0.23.2 and other products, allows attackers to cause a denial of service (segmentation fault) via a crafted model SVM (introduced via pickle, json, or any other model permanence standard) with a large value in the _n_support array. NOTE: the scikit-learn vendor's position is that the behavior can only occur if the library's API is violated by an application that changes a private attribute."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-01-11T00:00:00"}}}, "cveMetadata": {"cveId": "CVE-2020-28975", "state": "PUBLISHED", "dateUpdated": "2024-08-04T16:48:01.573Z", "dateReserved": "2020-11-21T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2020-11-21T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:scikit-learn:scikit-learn:*:*:*:*:*:*:*:*", "matchCriteriaId": "4320862C-5961-4410-A723-8AC2475C9C51", "versionEndExcluding": "1.0.1", "versionStartIncluding": "0.23.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "svm_predict_values in svm.cpp in Libsvm v324, as used in scikit-learn 0.23.2 and other products, allows attackers to cause a denial of service (segmentation fault) via a crafted model SVM (introduced via pickle, json, or any other model permanence standard) with a large value in the _n_support array. NOTE: the scikit-learn vendor's position is that the behavior can only occur if the library's API is violated by an application that changes a private attribute."}, {"lang": "es", "value": "**EN DISPUTA** La funci\u00f3n svm_predict_values en el archivo svm.cpp en Libsvm versi\u00f3n v324, como es usado en scikit-learn versiones 0.23.2 y otros productos, permite a atacantes causar una denegaci\u00f3n de servicio (fallo de segmentaci\u00f3n) por medio de un modelo SVM dise\u00f1ado (introducido por medio de pickle, json o cualquier otro modelo est\u00e1ndar de permanencia) con un valor grande en la matriz _n_supportNOTA: la posici\u00f3n del proveedor de scikit-learn es que el comportamiento s\u00f3lo puede ocurrir si la API de la biblioteca es violada por una aplicaci\u00f3n que cambia un atributo privado"}], "id": "CVE-2020-28975", "lastModified": "2024-08-04T17:15:44.607", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-21T21:15:10.680", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/160281/SciKit-Learn-0.23.2-Denial-Of-Service.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2020/Nov/44"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/cjlin1/libsvm/blob/9a3a9708926dec87d382c43b203f2ca19c2d56a0/svm.cpp#L2501"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/scikit-learn/scikit-learn/commit/1bf13d567d3cd74854aa8343fd25b61dd768bb85"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/scikit-learn/scikit-learn/issues/18891"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202301-03"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}