CVE-2019-6446 (Critical) detected in numpy-1.14.2.zip - autoclosed

[mend-bolt-for-github[bot]]

CVE-2019-6446 - Critical Severity Vulnerability

Vulnerable Library - numpy-1.14.2.zip

Fundamental package for array computing in Python

Library home page: https://files.pythonhosted.org/packages/0b/66/86185402ee2d55865c675c06a5cfef742e39f4635a4ce1b1aefd20711c13/numpy-1.14.2.zip

Path to dependency file: /tmp/ws-scm/easybuggy4django.old

Path to vulnerable library: /tmp/ws-scm/easybuggy4django.old

Dependency Hierarchy: - :x: **numpy-1.14.2.zip** (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources

Publish Date: 2019-01-16

URL: CVE-2019-6446

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1859

Release Date: 2019-01-16

Fix Resolution: 1.16.2

---

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.