Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
skops' MethodNode can access unexpected object fields through dot notation, leading to arbitrary code execution at load time
Vulnerability Description
skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain an inconsistency in MethodNode, which can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time. While this issue may seem similar to GHSA-m7f4-hrc6-fwg3, it is actually more severe, as it relies on fewer assumptions about trusted types. This is fixed in version 12.0.0.
CVSS Information
N/A
Vulnerability Type
不充分的类型区分
Vulnerability Title
Skops 安全漏洞
Vulnerability Description
Skops是Skops项目的一个 Python 库,可帮助共享基于 scikit-learn 的模型并将其投入生产。 Skops 0.11.0及之前版本存在安全漏洞,该漏洞源于MethodNode不一致性,可能导致任意代码执行。
CVSS Information
N/A
Vulnerability Type
N/A