search

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Creative Commons Attribution 4.0 International
1.67k stars 304 forks source link

[GHSA-rf65-fc2p-2gjv] joblib v1.4.2 was discovered to contain a deserialization... #4541

Closed tomMoral closed 3 days ago

tomMoral commented 2 weeks ago

Updates

Comments

Here, the NumpyArrayWrapper is used internally to persist numpy arrays in the context of sharing objects between two processes/distributed experiments/caching. The same issue is present natively in the pickle protocol, but it is used in this context, as the pickle is produced by the main process, which should have a secure connection with the worker processes. For joblib.load there is a note stating it should never be used to load files from untrusted sources.

So I think this security alert can be dropped.

JonathanLEvans commented 2 weeks ago

Hi @tomMoral, thank you for your contribution. GHSA-rf65-fc2p-2gjv is unreviewed in our database and therefore, will not send out alerts. To get the CVE removed, please contact MITRE (the assigning CNA) with your concerns.