Bug 1226185 (CVE-2024-5206)

Summary: VUL-0: CVE-2024-5206: python-scikit-learn: possible sensitive data leak in TfidfVectorizer
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: camila.matos, daniel.garcia
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/408994/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-5206:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-06-11 11:04:44 UTC 
A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words_` attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the `stop_words_` attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-5206
https://www.cve.org/CVERecord?id=CVE-2024-5206
https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8
https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c
https://bugzilla.redhat.com/show_bug.cgi?id=2291228
Comment 3 OBSbugzilla Bot 2024-06-12 07:25:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1226185) was mentioned in
https://build.opensuse.org/request/show/1180109 Factory / python-scikit-learn
Comment 4 OBSbugzilla Bot 2024-06-12 08:15:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1226185) was mentioned in
https://build.opensuse.org/request/show/1180116 Factory / python-scikit-learn
Comment 5 Maintenance Automation 2024-06-13 16:30:04 UTC 
SUSE-SU-2024:2029-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1226185
CVE References: CVE-2024-5206
Maintenance Incident: [SUSE:Maintenance:34254](https://smelt.suse.de/incident/34254/)
Sources used:
openSUSE Leap 15.3 (src):
 python-scikit-learn-0.23.2-150300.3.3.1
openSUSE Leap 15.5 (src):
 python-scikit-learn-0.23.2-150300.3.3.1
openSUSE Leap 15.6 (src):
 python-scikit-learn-0.23.2-150300.3.3.1
SUSE Package Hub 15 15-SP5 (src):
 python-scikit-learn-0.23.2-150300.3.3.1
SUSE Package Hub 15 15-SP6 (src):
 python-scikit-learn-0.23.2-150300.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.