CVE-2024-29032

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-29032
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-29032.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-29032
Aliases
Published
2024-03-20T20:30:38.954Z
Modified
2025-11-15T18:49:06.663267Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
`qiskit_ibm_runtime.RuntimeDecoder` can execute arbitrary code
Details

Qiskit IBM Runtime is an environment that streamlines quantum computations and provides optimal implementations of the Qiskit quantum computing SDK. Starting in version 0.1.0 and prior to version 0.21.2, deserializing json data using qiskit_ibm_runtime.RuntimeDecoder can lead to arbitrary code execution given a correctly formatted input string. Version 0.21.2 contains a fix for this issue.

Database specific 
{
    "cwe_ids": [
        "CWE-502"
    ]
}
References

Affected packages

Git / github.com/qiskit/qiskit-ibm-runtime

Affected ranges

Type
GIT
Repo
https://github.com/qiskit/qiskit-ibm-runtime
Events
Introduced
f10d088bfcb06d6f70df76d348257c22e06309d9
Fixed
4a591525f5076d50826a6d1cdd5ab9a7b3839973

Affected versions

0.*

0.1.0
0.10.0
0.11.0
0.11.1
0.11.2
0.11.3
0.12.0
0.12.1
0.12.2
0.13.0
0.14.0
0.15.0
0.15.1
0.16.0
0.16.1
0.17.0
0.18.0
0.19.0
0.19.1
0.2.0
0.20.0
0.21.0
0.21.1
0.3.0
0.4.0
0.5.0
0.6.0
0.7.0
0.7.0rc1
0.7.0rc2
0.8.0
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4