Nixpkgs Security Tracker

Permalink CVE-2024-37065

7.8 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 6 months ago

Deserialization of untrusted data can occur in versions 0.6 or …

Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when loaded.

References

https://hiddenlayer.com/sai-security-advisory/skops-june2024
https://hiddenlayer.com/sai-security-advisory/skops-june2024
https://hiddenlayer.com/sai-security-advisory/skops-june2024 x_transferred

Affected products

skops

=<*
==0.6

Matching in nixpkgs

pkgs.python312Packages.skops

Library for saving/loading, sharing, and deploying scikit-learn based models

nixos-unstable -
- nixpkgs-unstable 0.13.0

pkgs.python313Packages.skops