CVE-2024-29032

2024-03-2021:15:31

CWE-502

[email protected]

web.nvd.nist.gov

qiskit

ibm runtime

vulnerability

json

code execution

quantum computing

5.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

5.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON

Qiskit IBM Runtime is an environment that streamlines quantum computations and provides optimal implementations of the Qiskit quantum computing SDK. Starting in version 0.1.0 and prior to version 0.21.2, deserializing json data using qiskit_ibm_runtime.RuntimeDecoder can lead to arbitrary code execution given a correctly formatted input string. Version 0.21.2 contains a fix for this issue.

Affected configurations

Vulners

Node

qiskitqiskit_ibm_runtimeRange0.1.0–0.21.2

CNA Affected

[
  {
    "vendor": "Qiskit",
    "product": "qiskit-ibm-runtime",
    "versions": [
      {
        "version": ">= 0.1.0, < 0.21.2",
        "status": "affected"
      }
    ]
  }
]