{"id":"PYSEC-2019-108","details":"** DISPUTED **   An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is  a behavior that might have legitimate applications in (for example)  loading serialized Python object arrays from trusted and authenticated  sources.","aliases":["CVE-2019-6446","GHSA-9fq2-x9r6-wfmf"],"modified":"2023-11-08T04:01:37.692738Z","published":"2019-01-16T05:29:00Z","references":[{"type":"REPORT","url":"https://github.com/numpy/numpy/issues/12759"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=1122208"},{"type":"WEB","url":"http://www.securityfocus.com/bid/106670"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZZAYIQNUUYXGMKHSPEEXS4TRYFOUYE4/"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00091.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00092.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00015.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3335"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3704"}],"affected":[{"package":{"name":"numpy","ecosystem":"PyPI","purl":"pkg:pypi/numpy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.16.1"}]}],"versions":["0.9.6","0.9.8","1.0b1","1.0b4","1.0b5","1.0rc1","1.0rc2","1.0rc3","1.0","1.0.3","1.0.4","1.1.1","1.2.0","1.2.1","1.3.0","1.4.0","1.4.1","1.5.0","1.5.1","1.6.0","1.6.1","1.6.2","1.7.0","1.7.1","1.7.2","1.8.0","1.8.1","1.8.2","1.9.0","1.9.1","1.9.2","1.9.3","1.10.0","1.10.1","1.10.2","1.10.3","1.10.4","1.11.0","1.11.1","1.11.2","1.11.3","1.12.0","1.12.1","1.13.0rc1","1.13.0rc2","1.13.0","1.13.1","1.13.3","1.14.0rc1","1.14.0","1.14.1","1.14.2","1.14.3","1.14.4","1.14.5","1.14.6","1.15.0rc1","1.15.0rc2","1.15.0","1.15.1","1.15.2","1.15.3","1.15.4","1.16.0rc1","1.16.0rc2","1.16.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/numpy/PYSEC-2019-108.yaml"}}],"schema_version":"1.7.3"}