CVE-2024-0959

A vulnerability was found in StanfordVL GibsonEnv 0.3.1. It has been classified as critical. Affected is the function cloudpickle.load of the file gibson\utils\pposgd_fuse.py. The manipulation leads to deserialization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252204.

CVSS v3 9.8 CRITICAL
CVSS v2.0 5.1 MEDIUM

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.1^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:P

Exploitability : 4.9 / Impact : 6.4

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/bayuncao/vul-cve-7	Broken Link
https://github.com/bayuncao/vul-cve-7/blob/main/dataset.pkl	Broken Link
https://vuldb.com/?ctiid.252204	Permissions Required
https://vuldb.com/?id.252204	Permissions Required

Configurations

Configuration 1 (hide)

cpe:2.3:a:standford:gibsonenv:0.3.1:*:*:*:*:*:*:*

History

02 Feb 2024, 02:18

Type	Values Removed	Values Added
CPE		cpe:2.3:a:standford:gibsonenv:0.3.1:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Standford gibsonenv Standford
References	~~() https://vuldb.com/?ctiid.252204 -~~	() https://vuldb.com/?ctiid.252204 - Permissions Required
References	~~() https://github.com/bayuncao/vul-cve-7 -~~	() https://github.com/bayuncao/vul-cve-7 - Broken Link
References	~~() https://github.com/bayuncao/vul-cve-7/blob/main/dataset.pkl -~~	() https://github.com/bayuncao/vul-cve-7/blob/main/dataset.pkl - Broken Link
References	~~() https://vuldb.com/?id.252204 -~~	() https://vuldb.com/?id.252204 - Permissions Required

27 Jan 2024, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-27 11:15

Updated : 2024-05-17 02:35

NVD link : CVE-2024-0959

Mitre link : CVE-2024-0959

CVE.ORG link : CVE-2024-0959

JSON object : View

Products Affected

standford

gibsonenv

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2024-0959", "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"version": "2.0", "baseScore": 5.1, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.6}]}, "published": "2024-01-27T11:15:17.497", "references": [{"url": "https://github.com/bayuncao/vul-cve-7", "tags": ["Broken Link"], "source": "cna@vuldb.com"}, {"url": "https://github.com/bayuncao/vul-cve-7/blob/main/dataset.pkl", "tags": ["Broken Link"], "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.252204", "tags": ["Permissions Required"], "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.252204", "tags": ["Permissions Required"], "source": "cna@vuldb.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "cna@vuldb.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in StanfordVL GibsonEnv 0.3.1. It has been classified as critical. Affected is the function cloudpickle.load of the file gibson\\utils\\pposgd_fuse.py. The manipulation leads to deserialization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252204."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en StanfordVL GibsonEnv 0.3.1. Ha sido clasificada como cr\u00edtica. La funci\u00f3n cloudpickle.load del archivo gibson\\utils\\pposgd_fuse.py es afectada por la vulnerabilidad. La manipulaci\u00f3n conduce a la deserializaci\u00f3n. Es posible lanzar el ataque de forma remota. La complejidad de un ataque es bastante alta. Se dice que la explotabilidad es dif\u00edcil. La explotaci\u00f3n ha sido divulgada al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-252204."}], "lastModified": "2024-05-17T02:35:06.383", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:standford:gibsonenv:0.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "503F6932-307F-4752-8F90-560D57914948"}], "operator": "OR"}]}], "sourceIdentifier": "cna@vuldb.com"}