You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This covers pandas, numpy and joblib unsafe deserialization vulnerability, that happens when an attacker is able to inject data into the deserialization method leading to Remote Code Execution. Both numpy and joblib don't deserialize the input itself but the content of the file, like other libraries modeled for insecure deserialization, but it is worth alerting. In the case of pandas the input could be an attacker url containing the data to deserialize and that could lead to Remote Code Execution.
The dataflow configuration I used is the Unsafe Deserialization default, looking for RemoteFlowSource flowing to the deserialization of data by pandas, numpy and joblib. The sinks are pandas.read_pickle, numpy.load and joblib.load.
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
Yes
No
Blog post link
No response
The text was updated successfully, but these errors were encountered:
Query PR
github/codeql#13781
Language
Python
CVE(s) ID list
CWE
CWE-502: Deserialization Of Untrusted Data
Report
This covers pandas, numpy and joblib unsafe deserialization vulnerability, that happens when an attacker is able to inject data into the deserialization method leading to Remote Code Execution. Both
numpy
andjoblib
don't deserialize the input itself but the content of the file, like other libraries modeled for insecure deserialization, but it is worth alerting. In the case ofpandas
the input could be an attacker url containing the data to deserialize and that could lead to Remote Code Execution.The dataflow configuration I used is the Unsafe Deserialization default, looking for RemoteFlowSource flowing to the deserialization of data by
pandas
,numpy
andjoblib
. The sinks arepandas.read_pickle
,numpy.load
andjoblib.load
.Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
Blog post link
No response
The text was updated successfully, but these errors were encountered: