Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00OTU3LTd2aHAtN3Y1Oc4AA45N
Deserialization of untrusted data in synthcity
A vulnerability, which was classified as critical, has been found in van_der_Schaar LAB synthcity 0.2.9. Affected by this issue is the function load_from_file of the component PKL File Handler. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252182 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early and confirmed immediately the existence of the issue. A patch is planned to be released in February 2024.
Permalink: https://github.com/advisories/GHSA-4957-7vhp-7v59JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00OTU3LTd2aHAtN3Y1Oc4AA45N
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 10 months ago
Updated: 10 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-4957-7vhp-7v59, CVE-2024-0937
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-0937
- https://github.com/bayuncao/vul-cve-6
- https://vuldb.com/?ctiid.252182
- https://vuldb.com/?id.252182
- https://github.com/vanderschaarlab/synthcity/blob/73cfd8ca784f70141fc7f2969221cd3b5737f7b1/src/synthcity/utils/serialization.py#L30
- https://github.com/advisories/GHSA-4957-7vhp-7v59
Blast Radius: 0.0
Affected Packages
pypi:synthcity
Dependent packages: 3Dependent repositories: 1
Downloads: 3,320 last month
Affected Version Ranges: <= 0.2.9
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9