Cybersecurity specialists report the detection of some critical vulnerabilities in NumPy, a library for the Python programming language with support for creating vectors and multidimensional arrays, along with a large collection of high-level mathematical functions. According to the report, successful exploitation of the reported flaws would allow threat actors to deploy dangerous hacking tasks.
Below are brief descriptions of the reported flaws, in addition to their respective tracking keys and scores assigned under the Common Vulnerability Scoring System (CVSS).
CVE-2021-41495: The vulnerability exists due to a NULL pointer dereference error in numpy.sort in NumPy would allow remote threat actors to perform a denial of service (DoS) attack.
This is a low-severity error and received a CVSS score of 3.4/10.
CVE-2021-34141: The vulnerability exists because an incomplete string comparison in the numpy.core component in NumPy would allow remote attackers to pass specific string objects to the library and perform a DoS attack.
The flaw received a CVSS score of 3.2/10.
CVE-2021-41496: A boundary error within the array_from_pyobj() function in fortranobject.c would allow remote threat actors to pass an array with negative values to the application, leading to a DoS condition.
The vulnerability received a CVSS score of 2.7/10.
According to the report, the flaws reside in all versions of NumPy between 1.0 and 1.21.5.
While vulnerabilities can be exploited by unauthenticated remote threat actors, no exploitation attempts related to these reports have been identified so far. Still, users of affected deployments are encouraged to apply the available patches as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.