PYSEC-2020-107
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/scikit-learn/PYSEC-2020-107.yaml
- JSON Data
- https://api.test.osv.dev/v1/vulns/PYSEC-2020-107
- Aliases
- Published
- 2020-05-15T19:15:00Z
- Modified
- 2024-04-22T23:12:27.661461Z
- Summary
- [none]
- Details
-
* DISPUTED * scikit-learn (aka sklearn) through 0.23.0 can unserialize and execute commands from an untrusted file that is passed to the joblib.load() function, if reduce makes an os.system call. NOTE: third parties dispute this issue because the joblib.load() function is documented as unsafe and it is the user's responsibility to use the function in a secure manner.
- References
Affected packages
PyPI / scikit-learn
Package
- Name
- scikit-learn
- View open source insights on deps.dev
- Purl
- pkg:pypi/scikit-learn
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.23.1
Affected versions
0.*
0.9
0.10
0.11
0.12
0.12.1
0.13
0.13.1
0.14a1
0.14
0.14.1
0.15.0b1
0.15.0b2
0.15.0
0.15.1
0.15.2
0.16b1
0.16.0
0.16.1
0.17b1
0.17
0.17.1
0.18rc2
0.18
0.18.1
0.18.2
0.19b2
0.19.0
0.19.1
0.19.2
0.20rc1
0.20.0
0.20.1
0.20.2
0.20.3
0.20.4
0.21rc2
0.21.0
0.21.1
0.21.2
0.21.3
0.22rc2.post1
0.22rc3
0.22
0.22.1
0.22.2
0.22.2.post1
0.23.0rc1
0.23.0