CVE-2024-29032: `qiskit_ibm_runtime.RuntimeDecoder` can execute arbitrary code

March 20, 2024

deserializing json data using qiskit_ibm_runtime.RuntimeDecoder can be made to execute arbitrary code given a correctly formatted input string

References

github.com/Qiskit/qiskit-ibm-runtime
github.com/Qiskit/qiskit-ibm-runtime/commit/b78fca114133051805d00043a404b25a33835f4d
github.com/Qiskit/qiskit-ibm-runtime/security/advisories/GHSA-x4x5-jv3x-9c7m
github.com/advisories/GHSA-x4x5-jv3x-9c7m
nvd.nist.gov/vuln/detail/CVE-2024-29032

Detect and mitigate CVE-2024-29032 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →