qiskit-ibm-runtime@0.11.0 vulnerabilities

IBM Quantum client for Qiskit Runtime.

latest version

0.23.0
latest non vulnerable version

0.23.0
first published

2 years ago
latest version published

a month ago
licenses detected
- Apache-2.0
  [0,)
View qiskit-ibm-runtime package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the qiskit-ibm-runtime package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
L Uncontrolled Recalculation of Data to Code ('Code Injection') qiskit-ibm-runtime is an IBM Quantum client for Qiskit Runtime. Affected versions of this package are vulnerable to Uncontrolled Recalculation of Data to Code ('Code Injection') due to the usage of `eval` method in `Options._get_program_inputs`. An attacker can execute arbitrary code by using a specifically crafted object that, when processed by the `eval` method, leads to code execution. This issue arises because `Options` are used server-side, potentially exposing runtime containers to arbitrary code injection. How to fix Uncontrolled Recalculation of Data to Code ('Code Injection')? Upgrade `qiskit-ibm-runtime` to version 0.11.1 or higher.	[0.11.0,0.11.1)
M Deserialization of Untrusted Data qiskit-ibm-runtime is an IBM Quantum client for Qiskit Runtime. Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the deserialization of JSON data using a specifically crafted input string. An attacker can execute arbitrary code on the system by providing a maliciously formatted input string to the deserialization process. How to fix Deserialization of Untrusted Data? Upgrade `qiskit-ibm-runtime` to version 0.21.2 or higher.	[0.1.0,0.21.2)

Uncontrolled Recalculation of Data to Code ('Code Injection')

qiskit-ibm-runtime is an IBM Quantum client for Qiskit Runtime.

Affected versions of this package are vulnerable to Uncontrolled Recalculation of Data to Code ('Code Injection') due to the usage of eval method in Options._get_program_inputs. An attacker can execute arbitrary code by using a specifically crafted object that, when processed by the eval method, leads to code execution. This issue arises because Options are used server-side, potentially exposing runtime containers to arbitrary code injection.

How to fix Uncontrolled Recalculation of Data to Code ('Code Injection')?

Upgrade qiskit-ibm-runtime to version 0.11.1 or higher.

[0.11.0,0.11.1)

Deserialization of Untrusted Data

qiskit-ibm-runtime is an IBM Quantum client for Qiskit Runtime.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the deserialization of JSON data using a specifically crafted input string. An attacker can execute arbitrary code on the system by providing a maliciously formatted input string to the deserialization process.

How to fix Deserialization of Untrusted Data?

Upgrade qiskit-ibm-runtime to version 0.21.2 or higher.

[0.1.0,0.21.2)

Go back to all versions of this package

qiskit-ibm-runtime@0.11.0 vulnerabilities

IBM Quantum client for Qiskit Runtime.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities