CVE-2020-13091
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-13091
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13091.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-13091
- Aliases
- Withdrawn
- 2020-05-18T11:16:52Z
- Published
- 2020-05-15T19:15:12Z
- Modified
- 2025-07-29T08:53:58.963143Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
pandas through 1.0.3 can unserialize and execute commands from an untrusted file that is passed to the readpickle() function, if reduce makes an os.system call. NOTE: third parties dispute this issue because the readpickle() function is documented as unsafe and it is the user's responsibility to use the function in a secure manner
- References
Affected packages
Debian:11 / pandas
Package
- Name
- pandas
- Purl
- pkg:deb/debian/pandas?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1.*
1.1.5+dfsg-2
1.3.4+dfsg-1
1.3.4+dfsg-2
1.3.4+dfsg-3
1.3.4+dfsg-4
1.3.4+dfsg-5
1.3.4+dfsg-6
1.3.4+dfsg-7
1.3.5+dfsg-1
1.3.5+dfsg-2
1.3.5+dfsg-3
1.3.5+dfsg-4
1.3.5+dfsg-5
1.3.5+dfsg-6
1.4.3+dfsg-1
1.4.3+dfsg-2
1.4.3+dfsg-3
1.4.3+dfsg-4
1.4.3+dfsg-5
1.4.3+dfsg-6
1.5.1+dfsg-1
1.5.1+dfsg-2
1.5.1+dfsg-3
1.5.2+dfsg-1
1.5.2+dfsg-2
1.5.2+dfsg-3
1.5.2+dfsg-4
1.5.2+dfsg-5
1.5.2+dfsg-6
1.5.3+dfsg-1
1.5.3+dfsg-2
1.5.3+dfsg-3
1.5.3+dfsg-4
1.5.3+dfsg-5
1.5.3+dfsg-6
1.5.3+dfsg-7
1.5.3+dfsg-8
1.5.3+dfsg-9
1.5.3+dfsg-10
1.5.3+dfsg-11
1.5.3+dfsg-12
2.*
2.0.3+dfsg-1
2.0.3+dfsg-2
2.0.3+dfsg-3
2.0.3+dfsg-4
2.0.3+dfsg-5
2.0.3+dfsg-6
2.1.0+dfsg-1
2.1.1+dfsg-1
2.1.1+dfsg-2
2.1.3+dfsg-1
2.1.4+dfsg-1
2.1.4+dfsg-2
2.1.4+dfsg-3
2.1.4+dfsg-4
2.1.4+dfsg-5
2.1.4+dfsg-6
2.1.4+dfsg-7
2.1.4+dfsg-8
2.2.2+dfsg-1
2.2.2+dfsg-2
2.2.2+dfsg-3
2.2.2+dfsg-4
2.2.3+dfsg-1
2.2.3+dfsg-2
2.2.3+dfsg-3
2.2.3+dfsg-4
2.2.3+dfsg-5
2.2.3+dfsg-6
2.2.3+dfsg-7
2.2.3+dfsg-8
2.2.3+dfsg-9
Debian:12 / pandas
Package
- Name
- pandas
- Purl
- pkg:deb/debian/pandas?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1.*
1.5.3+dfsg-2
1.5.3+dfsg-3
1.5.3+dfsg-4
1.5.3+dfsg-5
1.5.3+dfsg-6
1.5.3+dfsg-7
1.5.3+dfsg-8
1.5.3+dfsg-9
1.5.3+dfsg-10
1.5.3+dfsg-11
1.5.3+dfsg-12
2.*
2.0.3+dfsg-1
2.0.3+dfsg-2
2.0.3+dfsg-3
2.0.3+dfsg-4
2.0.3+dfsg-5
2.0.3+dfsg-6
2.1.0+dfsg-1
2.1.1+dfsg-1
2.1.1+dfsg-2
2.1.3+dfsg-1
2.1.4+dfsg-1
2.1.4+dfsg-2
2.1.4+dfsg-3
2.1.4+dfsg-4
2.1.4+dfsg-5
2.1.4+dfsg-6
2.1.4+dfsg-7
2.1.4+dfsg-8
2.2.2+dfsg-1
2.2.2+dfsg-2
2.2.2+dfsg-3
2.2.2+dfsg-4
2.2.3+dfsg-1
2.2.3+dfsg-2
2.2.3+dfsg-3
2.2.3+dfsg-4
2.2.3+dfsg-5
2.2.3+dfsg-6
2.2.3+dfsg-7
2.2.3+dfsg-8
2.2.3+dfsg-9
Debian:13 / pandas
Package
- Name
- pandas
- Purl
- pkg:deb/debian/pandas?arch=source
Git / github.com/pandas-dev/pandas
Affected ranges
- Type
- GIT
- Repo
- https://github.com/pandas-dev/pandas
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
Affected versions
0.*
0.3.0
v0.*
v0.10.0
v0.10.0b1
v0.10.1
v0.11.0
v0.11.0rc1
v0.12.0
v0.12.0rc1
v0.13.0
v0.13.0rc1
v0.13.1
v0.14.0
v0.14.0rc1
v0.14.1
v0.15.0
v0.15.0rc1
v0.15.1
v0.15.2
v0.15.2pre
v0.15pre
v0.16.0
v0.16.0rc1
v0.16.1
v0.16.2
v0.17.0
v0.17.0rc1
v0.17.0rc2
v0.17.1
v0.18.0
v0.18.0rc1
v0.18.0rc2
v0.18.1
v0.19.0
v0.19.0rc1
v0.20.0
v0.20.0rc1
v0.20.0rc2
v0.20.1
v0.21.0
v0.21.0.dev
v0.21.0rc1
v0.22.0.dev0
v0.23.0
v0.23.0.dev0
v0.23.0rc1
v0.23.0rc2
v0.24.0
v0.24.0.dev0
v0.24.0rc1
v0.25.0
v0.25.0.dev0
v0.25.0rc0
v0.26.0.dev0
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.5.0
v0.6.0
v0.6.1
v0.7.0
v0.7.0rc1
v0.7.1
v0.7.2
v0.7.3
v0.8.0
v0.8.0b1
v0.8.0b2
v0.8.0rc1
v0.8.0rc2
v0.8.1
v0.9.0
v0.9.0rc1
v0.9.0rc2
v0.9.1
v0.9.1rc1
v1.*
v1.0.0
v1.0.0rc0
v1.0.1
v1.0.2
v1.0.3