CVE-2023-25399 (Medium) detected in scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

[mend-for-github-com[bot]]

CVE-2023-25399 - Medium Severity Vulnerability

Vulnerable Library - scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

SciPy: Scientific Library for Python

Library home page: https://files.pythonhosted.org/packages/58/4f/11f34cfc57ead25752a7992b069c36f5d18421958ebd6466ecd849aeaf86/scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy: - :x: **scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: 20223e6dfcc3395c19180099a6af52ce9a76a77a

Found in base branch: main

Vulnerability Details

A refcounting issue which leads to potential memory leak was discovered in scipy commit 8627df31ab in Py_FindObjects() function.

Publish Date: 2023-07-05

URL: CVE-2023-25399

CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-25399

Release Date: 2023-07-05

Fix Resolution: 1.10.0

---

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

[dhrubo-os]

Closing this in favor of : https://github.com/opensearch-project/opensearch-py-ml/issues/230