Pandas is a requirement for MLflow, which we are trying to deploy in production. However, our security scan is showing us that pandas has a security vulnerability (CVE-2020-13091) and this vulnerability is preventing us from using MLflow in production, due to compliance issues.
It would be great if you could launch an alternative version of pandas, without the read_pickle method. This would be really useful and would solve the current security vulnerability.
Comment From: jbrockmendel
Could you disable pickle at a lower level?
Comment From: jreback
this is a nonstarter
if you want to disable pickle that's up to you but pandas is general purpose
-1 on any change
Comment From: TomAugspurger
@sergeisantoyo you can let you're security team know that the CVE is disputed. The author apparently tried to retract it but I don't know the status: https://github.com/0FuzzingQ/vuln/issues/4