{"id":"CVE-2019-6446","details":"An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.","aliases":["GHSA-9fq2-x9r6-wfmf","PYSEC-2019-108"],"modified":"2026-05-14T04:03:59.705882699Z","published":"2019-01-16T05:29:01.370Z","related":["ALSA-2019:3335","SUSE-SU-2019:0418-1","SUSE-SU-2019:0419-1","SUSE-SU-2019:0448-1","SUSE-SU-2019:13951-1","SUSE-SU-2019:13977-1","SUSE-SU-2019:2462-1","SUSE-SU-2019:2462-2","openSUSE-SU-2019:0245-1","openSUSE-SU-2019:2225-1","openSUSE-SU-2019:2227-1","openSUSE-SU-2019:2259-1","openSUSE-SU-2024:11243-1","openSUSE-SU-2024:13820-1","openSUSE-SU-2024:14311-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"30"}],"cpe":"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*","source":"CPE_FIELD"}]},"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00091.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00092.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00015.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ZZAYIQNUUYXGMKHSPEEXS4TRYFOUYE4/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZZAYIQNUUYXGMKHSPEEXS4TRYFOUYE4/"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/106670"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3335"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3704"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=1122208"},{"type":"REPORT","url":"https://github.com/numpy/numpy/issues/12759"},{"type":"FIX","url":"https://github.com/numpy/numpy/commit/89b688732b37616c9d26623f81aaee1703c30ffb"},{"type":"FIX","url":"https://github.com/numpy/numpy/pull/12889"},{"type":"FIX","url":"https://github.com/numpy/numpy/pull/13359"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/numpy/numpy","events":[{"introduced":"0"},{"last_affected":"971e2e89d08deeae0139d3011d15646fdac13c92"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"1.16.0"}],"cpe":"cpe:2.3:a:numpy:numpy:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["v1.16.0","v1.16.0rc2","v1.16.0rc1","pre-removal-numpybook","with_maskna","v0.3.0","v0.2.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-6446.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}