Critical severityNVD Advisory· Published May 15, 2020· Updated Aug 4, 2024
CVE-2020-13092
CVE-2020-13092
Description
scikit-learn (aka sklearn) through 0.23.0 can unserialize and execute commands from an untrusted file that is passed to the joblib.load() function, if __reduce__ makes an os.system call. NOTE: third parties dispute this issue because the joblib.load() function is documented as unsafe and it is the user's responsibility to use the function in a secure manner
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
scikit-learnPyPI | <= 0.23.0 | — |
Affected products
2- scikit-learn/scikit-learndescription
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-jjw5-xxj6-pcv5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13092ghsaADVISORY
- github.com/0FuzzingQ/vuln/blob/master/sklearn%20unserialize.mdghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/scikit-learn/PYSEC-2020-107.yamlghsaWEB
- scikit-learn.org/stable/modules/model_persistence.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.