CVE-2024-34997
Deserialization vulnerability in joblib (PyPI)
What is CVE-2024-34997 About?
Joblib v1.4.2 contains a deserialization vulnerability within the `joblib.numpy_pickle::NumpyArrayWrapper().read_array()` component. This flaw could lead to arbitrary code execution if untrusted serialized data is processed. However, the vendor disputes this, stating that `NumpyArrayWrapper` is only used with trusted content.
Affected Software
Technical Details
The deserialization vulnerability is found in joblib.numpy_pickle::NumpyArrayWrapper().read_array() of joblib v1.4.2. This component is responsible for reading and reconstructing NumpyArrayWrapper objects from serialized data. If an attacker can supply a malicious, specially crafted serialized object to this function for deserialization, the process could lead to the execution of arbitrary code on the system. The core of the issue stems from the inherent risks of deserializing data from untrusted sources, where malicious payloads can be embedded within the serialized stream to trigger unintended operations during reconstruction. The vendor, however, disputes the exploitability, asserting NumpyArrayWrapper is intended only for trusted, internal data caching.
What is the Impact of CVE-2024-34997?
Successful exploitation may allow attackers to execute arbitrary code in the context of the application, leading to compromise of the system or data manipulation.
What is the Exploitability of CVE-2024-34997?
Exploitation complexity depends heavily on whether an attacker can control the input to the NumpyArrayWrapper().read_array() function. Typically, deserialization vulnerabilities require the attacker to supply malicious, serialized data. Authentication requirements would depend on whether authenticated users can trigger the vulnerable deserialization. Privilege requirements would be those of the joblib process itself. Attacks could be remote if the application exposes deserialization of untrusted input to external users. A key constraint is the vendor's dispute, which claims the component is exclusively used with trusted content, implying that exploiting this vulnerability might require bypassing this trust boundary or finding a scenario where untrusted data is indeed processed indirectly. If the vendor's assertion is incorrect, the risk of exploitation increases significantly.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-34997?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2024-34997?
Similar Vulnerabilities: CVE-2023-24996 , CVE-2023-29471 , CVE-2021-21342 , CVE-2020-9489 , CVE-2017-9804
