Vulnerability Details CVE-2020-13092
scikit-learn (aka sklearn) through 0.23.0 can unserialize and execute commands from an untrusted file that is passed to the joblib.load() function, if __reduce__ makes an os.system call. NOTE: third parties dispute this issue because the joblib.load() function is documented as unsafe and it is the user's responsibility to use the function in a secure manner
Exploit prediction scoring system (EPSS) score
EPSS Score 0.009
EPSS Ranking 74.9%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://github.com/0FuzzingQ/vuln/blob/master/sklearn%20unserialize.md
- https://scikit-learn.org/stable/modules/model_persistence.html#security-maintainability-limitations
- https://github.com/0FuzzingQ/vuln/blob/master/sklearn%20unserialize.md
- https://scikit-learn.org/stable/modules/model_persistence.html#security-maintainability-limitations
Products affected by CVE-2020-13092
-
cpe:2.3:a:scikit-learn:scikit-learn:-
-
cpe:2.3:a:scikit-learn:scikit-learn:0.1
-
cpe:2.3:a:scikit-learn:scikit-learn:0.10
-
cpe:2.3:a:scikit-learn:scikit-learn:0.11
-
cpe:2.3:a:scikit-learn:scikit-learn:0.12
-
cpe:2.3:a:scikit-learn:scikit-learn:0.12.1
-
cpe:2.3:a:scikit-learn:scikit-learn:0.13
-
cpe:2.3:a:scikit-learn:scikit-learn:0.13.1
-
cpe:2.3:a:scikit-learn:scikit-learn:0.14
-
cpe:2.3:a:scikit-learn:scikit-learn:0.14.1
-
cpe:2.3:a:scikit-learn:scikit-learn:0.15.0
-
cpe:2.3:a:scikit-learn:scikit-learn:0.15.1
-
cpe:2.3:a:scikit-learn:scikit-learn:0.15.2
-
cpe:2.3:a:scikit-learn:scikit-learn:0.16.0
-
cpe:2.3:a:scikit-learn:scikit-learn:0.16.1
-
cpe:2.3:a:scikit-learn:scikit-learn:0.17
-
cpe:2.3:a:scikit-learn:scikit-learn:0.17.1
-
cpe:2.3:a:scikit-learn:scikit-learn:0.18
-
cpe:2.3:a:scikit-learn:scikit-learn:0.18.1
-
cpe:2.3:a:scikit-learn:scikit-learn:0.18.2
-
cpe:2.3:a:scikit-learn:scikit-learn:0.19
-
cpe:2.3:a:scikit-learn:scikit-learn:0.19.0
-
cpe:2.3:a:scikit-learn:scikit-learn:0.19.1
-
cpe:2.3:a:scikit-learn:scikit-learn:0.19.2
-
cpe:2.3:a:scikit-learn:scikit-learn:0.2
-
cpe:2.3:a:scikit-learn:scikit-learn:0.20
-
cpe:2.3:a:scikit-learn:scikit-learn:0.20.0
-
cpe:2.3:a:scikit-learn:scikit-learn:0.20.1
-
cpe:2.3:a:scikit-learn:scikit-learn:0.20.2
-
cpe:2.3:a:scikit-learn:scikit-learn:0.20.3
-
cpe:2.3:a:scikit-learn:scikit-learn:0.20.4
-
cpe:2.3:a:scikit-learn:scikit-learn:0.21
-
cpe:2.3:a:scikit-learn:scikit-learn:0.21.0
-
cpe:2.3:a:scikit-learn:scikit-learn:0.21.1
-
cpe:2.3:a:scikit-learn:scikit-learn:0.21.2
-
cpe:2.3:a:scikit-learn:scikit-learn:0.21.3
-
cpe:2.3:a:scikit-learn:scikit-learn:0.22
-
cpe:2.3:a:scikit-learn:scikit-learn:0.22.1
-
cpe:2.3:a:scikit-learn:scikit-learn:0.22.2
-
cpe:2.3:a:scikit-learn:scikit-learn:0.23.0
-
cpe:2.3:a:scikit-learn:scikit-learn:0.3
-
cpe:2.3:a:scikit-learn:scikit-learn:0.4
-
cpe:2.3:a:scikit-learn:scikit-learn:0.5
-
cpe:2.3:a:scikit-learn:scikit-learn:0.6.0
-
cpe:2.3:a:scikit-learn:scikit-learn:0.7
-
cpe:2.3:a:scikit-learn:scikit-learn:0.7.1
-
cpe:2.3:a:scikit-learn:scikit-learn:0.8
-
cpe:2.3:a:scikit-learn:scikit-learn:0.8.1
-
cpe:2.3:a:scikit-learn:scikit-learn:0.9