Closed bahrb closed 1 year ago
ken-duck
commented
2 years ago Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.
This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.
ken-duck
commented
1 year ago The vulnerability has not been fixed, rather disputed by the maintainers but Sonatype researchers have decided to still report on this due to the widely known unsafe nature of read_pickle() -- meaning that the researchers feel there is still risk.
There is an upcoming feature in OSS Index that will provide this "deviation" explanation when OSS Index deviates from the CVEs.
mseals1
commented
1 year ago This CVE is still popping up on pandas v1.4.2. The description of the CVE says it only affects up to v1.0.3 and is disputed for that version. Shouldn't any pandas versions past v1.0.3 not have this CVE show up at all?
ken-duck
commented
1 year ago When this particular CVE was created the latest version was 1.0.3, and the description for the CVE says this:
pandas through 1.0.3 can unserialize and execute commands
which means the latest version was vulnerable. New versions have since been released, though the CVE itself has not been updated. Sonatype's security researchers have confirmed that the (disputed) code is still present in even the latest version of Pandas.
Vulnerability URL https://ossindex.sonatype.org/vuln/CVE-2020-13091
Component URL https://ossindex.sonatype.org/component/pkg:pypi/pandas
Description Using pandas in version 1.3.3 raised CVE-2020-13091 which was fixed beyond 1.0.3. Issue occurred in dependency-track with the OSS-Index Analyzer. See https://github.com/DependencyTrack/dependency-track/issues/1707