An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
CVE-2021-34141 - Medium Severity Vulnerability
NumPy is the fundamental package for array computing with Python.
Library home page: https://files.pythonhosted.org/packages/50/46/292cff79f5b30151b027400efdb3f740ea03271b600751b6696cf550c10d/numpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
Path to dependency file: /tmp/ws-scm/tilde
Path to vulnerable library: /tmp/ws-scm/tilde
Dependency Hierarchy: - :x: **numpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: 0bd1a4b97dc137c04d77dc0d111e518eb9b171e1
An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Publish Date: 2021-12-17
URL: CVE-2021-34141
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-34141
Release Date: 2021-12-17
Fix Resolution: numpy - 1.22.0rc1,1.12.0b1;numpy-base - 1.16.2;numpy - 1.13.2,1.17.4;albatradis - 1.0.1
Step up your Open Source Security Game with WhiteSource here