CVE-2024-34997

joblib v1.4.2 was discovered to contain a deserialization vulnerability via the component joblib.numpy_pickle::NumpyArrayWrapper().read_array(). NOTE: this is disputed by the supplier because NumpyArrayWrapper is only used during caching of trusted content.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 64%
VendorProductVersion
joblib_projectjoblib
1.4.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
joblib
bullseye
unimportant
bookworm
unimportant
trixie
unimportant
forky
unimportant
sid
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
joblib
noble
not-affected
mantic
ignored
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
https://github.com/joblib/joblib/issues/1582
https://github.com/joblib/joblib/issues/977
https://github.com/joblib/joblib/issues/1582
https://github.com/joblib/joblib/issues/977