CVE-2020-28975: Denial of Service
(updated )
The svm_predict_values
in svm.cpp
in Libsvm, as used in scikit-learn and other products, allows attackers to cause a denial of service (segmentation fault) via a crafted model SVM (introduced via pickle, json, or any other model permanence standard) with a large value in the _n_support
array. Note, the scikit-learn vendor’s position is that the behavior can only occur if the library’s API is violated by an application that changes a private attribute.
References
Detect and mitigate CVE-2020-28975 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →