CVE-2024-37065

2024-06-0412:03:19

CWE-502

HiddenLayer

github.com

skops library

python

deserialization

vulnerability

arbitrary code

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user’s system when loaded.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "packageName": "skops",
    "product": "Skops",
    "repo": "https://github.com/skops-dev/skops",
    "vendor": "Skops-dev",
    "versions": [
      {
        "lessThanOrEqual": "*",
        "status": "affected",
        "version": "0.6",
        "versionType": "semver"
      }
    ]
  }
]