CVE-2019-6446 (High) detected in numpy-1.14.5-cp27-cp27mu-manylinux1_x86_64.whl

[mend-bolt-for-github[bot]]

CVE-2019-6446 - High Severity Vulnerability

Vulnerable Library - numpy-1.14.5-cp27-cp27mu-manylinux1_x86_64.whl

NumPy: array processing for numbers, strings, records, and objects.

Library home page: https://files.pythonhosted.org/packages/6a/a9/c01a2d5f7b045f508c8cefef3b079fe8c413d05498ca0ae877cffa230564/numpy-1.14.5-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /SBtab/requirements.txt

Path to vulnerable library: teSource-ArchiveExtractor_7e784e60-aa9b-4af5-92e1-0ac79413cb86/20190507134141_55527/20190507134048_depth_0/numpy-1.14.5-cp27-cp27mu-manylinux1_x86_64/numpy

Dependency Hierarchy: - :x: **numpy-1.14.5-cp27-cp27mu-manylinux1_x86_64.whl** (Vulnerable Library)

Vulnerability Details

** DISPUTED ** An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.

Publish Date: 2019-01-16

URL: CVE-2019-6446

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1859

Release Date: 2019-01-16

Fix Resolution: 1.16.2

---

Step up your Open Source Security Game with WhiteSource here