Third-Party Package Updates in Python for Scientific Computing - June 2025

Description

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Python for Scientific Computing versions 4.2.3 or 3.2.3 and higher including the following:

₁ Upgraded OpenSSL from v3.3.2 to v3.4.1 to remedy CVE-2024-12797, and CVE-2024-9143.

₂ Upgraded onnx from v1.16.0 to v1.17.0 to remedy CVE-2024-7776, and CVE-2024-5187.

₃ Upgraded jinja2 from v3.1.5 to v3.1.6 to remedy CVE-2025-27516, CVE-2024-56201, and CVE-2024-56326. The jinja2 library is not present in version 3.2.x.

₄ Upgraded pytorch from v2.2.2 to v2.6.0 to remedy CVE-2025-32434. Note: The pytorch library has been removed in this version for Mac Intel, and the PyTorch library is not included in version 3.2.x.

Solution

Upgrade Python for Scientific Computing (PSC) to version 4.2.3 or 3.2.3 or higher.
For Splunk Machine Learning Toolkit (MLTK), upgrading PSC to version 4.2.3 requires updating MLTK to version 5.6.0 or higher. See https://docs.splunk.com/Documentation/MLApp/latest/User/Upgrade for upgrade help and https://docs.splunk.com/Documentation/MLApp/latest/User/Installandconfigure for more information on the version compatibility.
For Splunk IT Service Intelligence (ITSI), upgrading PSC to version 4.2.3 might cause problems with ITSI Predictive Analytics. After an upgrade of PSC, ITSI Predictive Analytics models might require retraining. See https://docs.splunk.com/Documentation/ITSI/latest/SI/ManageModel for more information.

Product Status

Severity

For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.

Changelog

• 2025-07-11: Appended CVE-2024-9143 to OpenSSL package as remedied.