scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl: 2 vulnerabilities (highest severity is: 9.8) #80
Description
Vulnerable Library - scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
SciPy: Scientific Library for Python
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 46b2b180777accd8b00c59f7f7b3dae4eeecfed2
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (scipy version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-29824 |  Critical |
9.8 | scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Direct | N/A | ❌ |
| CVE-2023-25399 |  Medium |
5.5 | scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Direct | scipy - 1.10.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-29824
Vulnerable Library - scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
SciPy: Scientific Library for Python
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- ❌ scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 46b2b180777accd8b00c59f7f7b3dae4eeecfed2
Found in base branch: main
Vulnerability Details
A use-after-free issue was discovered in Py_FindObjects() function in SciPy versions prior to 1.8.0. NOTE: the vendor and discoverer indicate that this is not a security issue.
Publish Date: 2023-07-06
URL: CVE-2023-29824
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2023-25399
Vulnerable Library - scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
SciPy: Scientific Library for Python
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- ❌ scipy-1.7.3-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 46b2b180777accd8b00c59f7f7b3dae4eeecfed2
Found in base branch: main
Vulnerability Details
A refcounting issue which leads to potential memory leak was discovered in scipy commit 8627df31ab in Py_FindObjects() function. Note: This is disputed as a bug and not a vulnerability. SciPy is not designed to be exposed to untrusted users or data directly.
Publish Date: 2023-07-05
URL: CVE-2023-25399
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-9jx5-6pgf-crrp
Release Date: 2023-07-05
Fix Resolution: scipy - 1.10.0
Step up your Open Source Security Game with Mend here