CVE-2024-0937 – synthcity

Package

Manager: pip
Name: synthcity
Vulnerable Version: >=0 <=0.2.9

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00081 pctl0.24651

Details

Deserialization of untrusted data in synthcity A vulnerability, which was classified as critical, has been found in van_der_Schaar LAB synthcity 0.2.9. Affected by this issue is the function load_from_file of the component PKL File Handler. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252182 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early and confirmed immediately the existence of the issue. A patch is planned to be released in February 2024.

Metadata

Created: 2024-01-26T18:30:34Z
Modified: 2024-02-02T20:31:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-4957-7vhp-7v59/GHSA-4957-7vhp-7v59.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-4957-7vhp-7v59
Finding: F096
Auto approve: 1