CVE-2024-29032 `qiskit_ibm_runtime.RuntimeDecoder` can execute arbitrary code

2024-03-2020:30:38

CWE-502

GitHub_M

www.cve.org

qiskit ibm runtime

arbitrary code execution

json deserialization

security vulnerability

cve-2024-29032

CVSS3

5.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

Confidence

High

EPSS

Percentile

15.5%

JSON

Qiskit IBM Runtime is an environment that streamlines quantum computations and provides optimal implementations of the Qiskit quantum computing SDK. Starting in version 0.1.0 and prior to version 0.21.2, deserializing json data using qiskit_ibm_runtime.RuntimeDecoder can lead to arbitrary code execution given a correctly formatted input string. Version 0.21.2 contains a fix for this issue.

CNA Affected

[
  {
    "vendor": "Qiskit",
    "product": "qiskit-ibm-runtime",
    "versions": [
      {
        "version": ">= 0.1.0, < 0.21.2",
        "status": "affected"
      }
    ]
  }
]