Mageia 9, MGASA-2024-0228 Critical: Python Scikit-Learn Data Leak Issue
mageia
June 20, 2024
A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0
Summary
A sensitive data leakage vulnerability was identified in scikit-learn's
TfidfVectorizer, specifically in versions up to and including
1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises
from the unexpected storage of all tokens present in the training data
within the `stop_words_` attribute, rather than only storing the subset
of tokens required for the TF-IDF technique to function. This behavior
leads to the potential leakage of sensitive information, as the
`stop_words_` attribute could contain tokens that were meant to be
discarded and not stored, such as passwords or keys. The impact of this
vulnerability varies based on the nature of the data being processed by
the vectorizer.
References
- https://bugs.mageia.org/show_bug.cgi?id=33307
-
- https://www.cve.org/CVERecord?id=CVE-2024-5206
Resolution
SRPMS
- 9/core/python-scikit-learn-1.1.2-2.1.mga9
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 20 Jun 2024
URL: https://advisories.mageia.org/MGASA-2024-0228.html
Type: security
CVE: CVE-2024-5206
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!