1. Home
  2. CVE Database
  3. CVE-2019-6446
CRITICAL · 9.8

CVE-2019-6446

An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a...

Vulnerability Description

An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
NumpyNumpy<= 1.16.0
FedoraprojectFedora30

Related Weaknesses (CWE)

CWE-502

References

FAQ

What is CVE-2019-6446?

CVE-2019-6446 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a...

How severe is CVE-2019-6446?

CVE-2019-6446 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-6446?

Check the references section above for vendor advisories and patch information. Affected products include: Numpy Numpy, Fedoraproject Fedora.