PyPI: numpy
CVE-2021-34141
Safety vulnerability ID: SFTY-20211217-44849
Safety legacy ID: pyup.io-44717
Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless." https://github.com/numpy/numpy/issues/18993
Overview
Incorrect Comparison in NumPy
Advisory
Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless." https://github.com/numpy/numpy/issues/18993
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20211217-44849/CVE-2021-34141
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
- https://github.com/numpy/numpy/issues/18993
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-34141
- https://github.com/numpy/numpy/issues/18993
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/numpy/numpy/issues/18993#issuecomment-1010735102
- https://github.com/advisories/GHSA-fpfv-jqm9-f5jm
- https://github.com/pypa/advisory-database/tree/main/vulns/numpy/PYSEC-2021-855.yaml
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more