Product Research Enterprise Plans Docs

PyPi: Evalml

CVE-2021-33430

Transitive

Safety vulnerability ID: 64847

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Dec 17, 2021 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Evalml version 0.42.0 updates its minimum required version of numpy to >=1.21.0 from the previously specified >=1.20.0. This change addresses the security issue CVE-2021-33430.
https://github.com/alteryx/evalml/pull/3207/commits/2e3daedb4d800952d5f8c7488450df870ed09a48

Affected package

evalml

Latest version: 0.84.0

an AutoML library that builds, optimizes, and evaluates machine learning pipelines using domain-specific objective functions

Affected versions

Fixed versions

Vulnerability changelog

Enhancements
- Required the separation of training and test data by ``gap`` + 1 units to be verified by ``time_index`` for time series problems 3208
- Added support for boolean features for ``ARIMARegressor`` 3187
- Updated dependency bot workflow to remove outdated description and add new configuration to delete branches automatically 3212
- Added ``n_obs`` and ``n_splits`` to ``TimeSeriesParametersDataCheck`` error details 3246
Fixes
- Fixed classification pipelines to only accept target data with the appropriate number of classes 3185
- Added support for time series in ``DefaultAlgorithm`` 3177
- Standardized names of featurization components 3192
- Removed empty cell in text_input.ipynb 3234
- Removed potential prediction explanations failure when pipelines predicted a class with probability 1 3221
- Dropped NaNs before partial dependence grid generation 3235
- Allowed prediction explanations to be json-serializable 3262
- Fixed bug where ``InvalidTargetDataCheck`` would not check time series regression targets 3251
- Fixed bug in ``are_datasets_separated_by_gap_time_index`` 3256
Changes
- Raised lowest compatible numpy version to 1.21.0 to address security concerns 3207
- Changed the default objective to ``MedianAE`` from ``R2`` for time series regression 3205
- Removed all-nan Unknown to Double logical conversion in ``infer_feature_types`` 3196
- Checking the validity of holdout data for time series problems can be performed by calling ``pipelines.utils.validate_holdout_datasets`` prior to calling ``predict`` 3208
Documentation Changes
Testing Changes
Breaking Changes
- Renamed ``DateTime Featurizer Component`` to ``DateTime Featurizer`` and ``Natural Language Featurization Component`` to ``Natural Language Featurizer`` 3192

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33430

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 5.3

CVSS v3 Details

MEDIUM 5.3

Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Availability (A): HIGH

CVSS v2 Details

LOW 3.5

Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (Au): SINGLE
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Impact (A): PARTIAL