An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2019-6446 from the MITRE CVE dictionary dictionary and NIST NVD.
Red Hat Enterprise Virtualization Management Appliance includes the vulnerable version of numpy, however it is not used and this vulnerability is not exposed.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 8.8 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
| Platform | Package | State |
|---|---|---|
| Red Hat Virtualization 4 | rhvm-appliance | Fix deferred |
| Red Hat Software Collections for Red Hat Enterprise Linux | python27-numpy | Affected |
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-python35-numpy | Affected |
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-python36-numpy | Affected |
| Red Hat OpenStack Platform 14 | numpy | Affected |
| Red Hat OpenStack Platform 13.0 (Queens) | numpy | Affected |
| Red Hat Enterprise Linux 7 | numpy | Affected |
| Red Hat Enterprise Linux 6 | numpy | Will not fix |
Vulmon