numpy
Behoben in
1.13.3
CVE-2017-12852 describes a Denial of Service (DoS) vulnerability within the NumPy library, specifically impacting versions up to 1.9.3. This flaw resides in the numpy.pad function, where inadequate input validation allows an attacker to induce an infinite loop. Exploitation can result in service unavailability and potential system instability. A patch addressing this vulnerability was released in version 1.13.3.
The vulnerability lies in the numpy.pad function's lack of input validation. By supplying an empty list or NumPy array as input, an attacker can force the function into an infinite loop. This loop consumes system resources (CPU and memory) rapidly, effectively denying service to legitimate users. The impact extends to any application or script relying on NumPy for numerical computations, potentially disrupting critical workflows. While not directly leading to data exfiltration, the DoS condition can be used as a distraction technique or to disrupt operations while other malicious activities are carried out.
CVE-2017-12852 was publicly disclosed on August 15, 2017. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the ease of exploitation and the widespread use of NumPy make it a potential target. It is not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is readily available, demonstrating the vulnerability's exploitability.
Exploit-Status
EPSS
0.81% (74% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2017-12852 is to upgrade NumPy to version 1.13.3 or later, which includes the necessary input validation fix. If upgrading is not immediately feasible due to compatibility concerns or system downtime constraints, consider implementing temporary workarounds. These could involve carefully scrutinizing inputs to the numpy.pad function within your application code, ensuring that empty lists or arrays are not passed. While not a complete solution, this can reduce the attack surface. Monitoring system resource usage (CPU and memory) for unusual spikes can also help detect potential exploitation attempts. After upgrading, confirm the fix by attempting to call numpy.pad with an empty list as input; it should no longer result in an infinite loop.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2017-12852 is a Denial of Service vulnerability in NumPy versions 1.9.3 and earlier. An attacker can trigger an infinite loop in the numpy.pad function, causing a DoS.
If you are using NumPy version 1.9.3 or earlier, you are potentially affected. Check your NumPy version using pip show numpy or python -c "import numpy; print(numpy.version)".
Upgrade to NumPy version 1.13.3 or later. This version includes a fix for the input validation issue that causes the DoS vulnerability.
There is no current evidence of CVE-2017-12852 being actively exploited in the wild, but public POC code exists.
Refer to the NumPy security advisories and the related discussion on the NumPy mailing list for details: https://github.com/numpy/numpy/issues/9384
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.