scikit_learn-1.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl: 1 vulnerabilities (highest severity is: 4.7) unreachable #6
Description
Vulnerable Library - scikit_learn-1.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
A set of python modules for machine learning and data mining
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260219120409_AEEMWL/python_IKDEBG/20260219120410/scikit_learn-1.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Found in HEAD commit: c2a0de4212c13487918a46a2935ca84031dd91aa
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (scikit_learn version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2024-5206 |  Medium |
4.7 | Not Defined | 0.0% | scikit_learn-1.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Direct | scikit-learn - 1.5.0 | ❌ |
|
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-5206
Vulnerable Library - scikit_learn-1.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
A set of python modules for machine learning and data mining
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260219120409_AEEMWL/python_IKDEBG/20260219120410/scikit_learn-1.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Dependency Hierarchy:
- ❌ scikit_learn-1.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: c2a0de4212c13487918a46a2935ca84031dd91aa
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the stop_words_ attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the stop_words_ attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer.
Publish Date: 2024-06-06
URL: CVE-2024-5206
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-jw8x-6495-233v
Release Date: 2024-06-06
Fix Resolution: scikit-learn - 1.5.0