Bug 1226185 (CVE-2024-5206) - VUL-0: CVE-2024-5206: python-scikit-learn: possible sensitive data leak in TfidfVectorizer
Summary: VUL-0: CVE-2024-5206: python-scikit-learn: possible sensitive data leak in Tf...
Status: RESOLVED FIXED
Alias: CVE-2024-5206
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/408994/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-5206:5.5:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-06-11 11:04 UTC by SMASH SMASH
Modified: 2024-06-13 17:36 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-06-11 11:04:44 UTC 
A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words_` attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the `stop_words_` attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-5206
https://www.cve.org/CVERecord?id=CVE-2024-5206
https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8
https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c
https://bugzilla.redhat.com/show_bug.cgi?id=2291228
Comment 3 OBSbugzilla Bot 2024-06-12 07:25:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1226185) was mentioned in
https://build.opensuse.org/request/show/1180109 Factory / python-scikit-learn
Comment 4 OBSbugzilla Bot 2024-06-12 08:15:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1226185) was mentioned in
https://build.opensuse.org/request/show/1180116 Factory / python-scikit-learn
Comment 5 Maintenance Automation 2024-06-13 16:30:04 UTC 
SUSE-SU-2024:2029-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1226185
CVE References: CVE-2024-5206
Maintenance Incident: [SUSE:Maintenance:34254](https://smelt.suse.de/incident/34254/)
Sources used:
openSUSE Leap 15.3 (src):
 python-scikit-learn-0.23.2-150300.3.3.1
openSUSE Leap 15.5 (src):
 python-scikit-learn-0.23.2-150300.3.3.1
openSUSE Leap 15.6 (src):
 python-scikit-learn-0.23.2-150300.3.3.1
SUSE Package Hub 15 15-SP5 (src):
 python-scikit-learn-0.23.2-150300.3.3.1
SUSE Package Hub 15 15-SP6 (src):
 python-scikit-learn-0.23.2-150300.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.