/ 详情

CVE-2024-5206

TODO
Bug-Report 成员
创建于  
2024-10-17 15:02

一、漏洞信息
漏洞编号:CVE-2024-5206
漏洞归属组件:scikit-learn
漏洞归属的版本:0.23.1,>= 0.14,>= 0.23.1
CVSS V3.0分值:
BaseScore:4.7 Medium
Vector:CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
漏洞简述:
A sensitive data leakage vulnerability was identified in scikit-learn s TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the stop_words_ attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the stop_words_ attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer.
漏洞公开时间:2024-06-07 03:16:06
漏洞创建时间:2024-10-17 15:02:45
漏洞详情参考链接:
https://nvd.nist.gov/vuln/detail/CVE-2024-5206

更多参考(点击展开)
参考来源 参考链接 来源链接
security.huntr.dev https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8
security.huntr.dev https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c
suse_bugzilla http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-5206 https://bugzilla.suse.com/show_bug.cgi?id=1226185
suse_bugzilla https://www.cve.org/CVERecord?id=CVE-2024-5206 https://bugzilla.suse.com/show_bug.cgi?id=1226185
suse_bugzilla https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8 https://bugzilla.suse.com/show_bug.cgi?id=1226185
suse_bugzilla https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c https://bugzilla.suse.com/show_bug.cgi?id=1226185
suse_bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=2291228 https://bugzilla.suse.com/show_bug.cgi?id=1226185
redhat_bugzilla https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8 https://bugzilla.redhat.com/show_bug.cgi?id=2291228
redhat_bugzilla https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c https://bugzilla.redhat.com/show_bug.cgi?id=2291228
ubuntu https://www.cve.org/CVERecord?id=CVE-2024-5206 https://ubuntu.com/security/CVE-2024-5206
ubuntu https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c https://ubuntu.com/security/CVE-2024-5206
ubuntu https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8 https://ubuntu.com/security/CVE-2024-5206
ubuntu https://nvd.nist.gov/vuln/detail/CVE-2024-5206 https://ubuntu.com/security/CVE-2024-5206
ubuntu https://launchpad.net/bugs/cve/CVE-2024-5206 https://ubuntu.com/security/CVE-2024-5206
ubuntu https://security-tracker.debian.org/tracker/CVE-2024-5206 https://ubuntu.com/security/CVE-2024-5206
debian https://security-tracker.debian.org/tracker/CVE-2024-5206
anolis https://anas.openanolis.cn/cves/detail/CVE-2024-5206
huntr https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c
cve_search https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c
cve_search https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8
mageia http://advisories.mageia.org/MGASA-2024-0228.html

漏洞分析指导链接:
https://gitee.com/mindspore/community/blob/master/security/cve_issue_template.md
漏洞数据来源:
其它
漏洞补丁信息:

详情(点击展开)
影响的包 修复版本 修复补丁 问题引入补丁 来源
https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8 security.huntr.dev
https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8 suse_bugzilla
https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8 redhat_bugzilla
https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8 ubuntu
https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8 nvd
https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c nvd

二、漏洞分析结构反馈
影响性分析说明:

MindSpore评分:

受影响版本排查(受影响/不受影响):
1.master:
2.v1.8.0:
3.v1.9.0:
4.v2.0.0:

评论 (3)

majun-bot 创建了Bug-Report 3个月前
majun-bot 添加了
 
CVE/UNFIXED
标签
3个月前
majun-bot 添加了
 
v1.8.0
标签
3个月前
majun-bot 添加了
 
v1.9.0
标签
3个月前
majun-bot 添加了
 
v2.0.0
标签
3个月前
majun-bot 添加协作者rainyhorse 3个月前
展开全部操作日志

感谢您的提问,您可以评论//mindspore-assistant更快获取帮助:

  1. 如果您刚刚接触MindSpore,或许您可以在教程找到答案
  2. 如果您是资深Pytorch用户,您或许需要:
  1. 如果您遇到动态图问题,可以设置set_context(pynative_synchronize=True)查看报错栈协助定位
  2. 模型精度调优问题可参考官网调优指南
  3. 如果您反馈的是框架BUG,请确认您在ISSUE中提供了MindSpore版本、使用的后端类型(CPU、GPU、Ascend)、环境、训练的代码官方链接以及可以复现报错的代码的启动方式等必要的定位信息
  4. 如果您已经定位出问题根因,欢迎提交PR参与MindSpore开源社区,我们会尽快review
TommyLike 计划开始日期设置为2024-10-17 3个月前
TommyLike 计划截止日期设置为2024-11-16 3个月前
TommyLike 优先级设置为次要 3个月前
mindspore-ci-bot 修改了描述 3个月前

登录 后才可以发表评论

状态
负责人
项目
里程碑
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
开始日期   -   截止日期
-
置顶选项
优先级
预计工期 (小时)
参与者(4)
5518576 mindspore ci 1587902139 i-robot-I-am-a-robot majun-bot-openMajun_admin rainyhorse-rainyhorse