CVE-2024-34997Deserialization of Untrusted Data in Project Joblib

CWE-502Deserialization of Untrusted Data6 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.5%
top 34.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Joblib Project JoblibDebian Joblib
Timeline
PublishedMay 17

Description

joblib v1.4.2 was discovered to contain a deserialization vulnerability via the component joblib.numpy_pickle::NumpyArrayWrapper().read_array(). NOTE: this is disputed by the supplier because NumpyArrayWrapper is only used during caching of trusted content.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

debiandebian/joblib

🔴Vulnerability Details

3
OSV
CVE-2024-34997: joblib v12024-05-17
OSV
CVE-2024-34997: ** DISPUTED ** joblib v12024-05-17
GHSA
GHSA-rf65-fc2p-2gjv: joblib v12024-05-17

📋Vendor Advisories

2
Red Hat
python-joblib: Deserialization vulnerability via joblib.numpy_pickle::NumpyArrayWrapper().read_array()2024-05-17
Debian
CVE-2024-34997: joblib - joblib v1.4.2 was discovered to contain a deserialization vulnerability via the ...2024
CVE-2024-34997 — Deserialization of Untrusted Data | cvebase