7.8

CVE-2024-29032

Exploit

EPSS 0.07%
Veröffentlicht 20.03.2024 21:15:31
Zuletzt bearbeitet 03.12.2025 20:00:30
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

`qiskit_ibm_runtime.RuntimeDecoder` can execute arbitrary code

Qiskit IBM Runtime is an environment that streamlines quantum computations and provides optimal implementations of the Qiskit quantum computing SDK. Starting in version 0.1.0 and prior to version 0.21.2, deserializing json data using `qiskit_ibm_runtime.RuntimeDecoder` can lead to arbitrary code execution given a correctly formatted input string. Version 0.21.2 contains a fix for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ibm ≫ Qiskit Ibm Runtime Version >= 0.1.0 < 0.21.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.216

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	5.3	1.8	3.4	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://github.com/Qiskit/qiskit-ibm-runtime/blob/16e90f475e78a9d2ae77daa139ef750cfa84ca82/qiskit_ibm_runtime/utils/json.py#L156-L159

Issue Tracking

https://github.com/Qiskit/qiskit-ibm-runtime/commit/b78fca114133051805d00043a404b25a33835f4d

Issue Tracking

https://github.com/Qiskit/qiskit-ibm-runtime/security/advisories/GHSA-x4x5-jv3x-9c7m

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-29032

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-29032

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-29032

EUVD