{"id":"CVE-2019-6446","details":"An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.","aliases":["GHSA-9fq2-x9r6-wfmf","PYSEC-2019-108"],"modified":"2026-04-16T04:38:13.125011821Z","published":"2019-01-16T05:29:01.370Z","related":["ALSA-2019:3335","SUSE-SU-2019:0418-1","SUSE-SU-2019:0419-1","SUSE-SU-2019:0448-1","SUSE-SU-2019:13951-1","SUSE-SU-2019:13977-1","SUSE-SU-2019:2462-1","SUSE-SU-2019:2462-2","openSUSE-SU-2019:0245-1","openSUSE-SU-2019:2225-1","openSUSE-SU-2019:2227-1","openSUSE-SU-2019:2259-1","openSUSE-SU-2024:11243-1","openSUSE-SU-2024:13820-1","openSUSE-SU-2024:14311-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZZAYIQNUUYXGMKHSPEEXS4TRYFOUYE4/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ZZAYIQNUUYXGMKHSPEEXS4TRYFOUYE4/"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00091.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00092.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00015.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3335"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/106670"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3704"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=1122208"},{"type":"REPORT","url":"https://github.com/numpy/numpy/issues/12759"},{"type":"FIX","url":"https://github.com/numpy/numpy/pull/12889"},{"type":"FIX","url":"https://github.com/numpy/numpy/commit/89b688732b37616c9d26623f81aaee1703c30ffb"},{"type":"FIX","url":"https://github.com/numpy/numpy/pull/13359"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/numpy/numpy","events":[{"introduced":"0"},{"last_affected":"971e2e89d08deeae0139d3011d15646fdac13c92"},{"fixed":"89b688732b37616c9d26623f81aaee1703c30ffb"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.16.0"}]}}],"versions":["pre-removal-numpybook","v0.2.2","v0.3.0","v1.16.0","v1.16.0rc1","v1.16.0rc2","v1.16.1","v1.16.2","with_maskna"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"30"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-6446.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}