CVSS: 9.3EPSS: 0%CPEs: 2EXPL: 4CVE-2024-23346 – pymatgen arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string
https://notcve.org/view.php?id=CVE-2024-23346
21 Feb 2024 — Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue. Pymatgen (Python Materials Genomics) es una librería Python de código abierto para ... • https://github.com/9carlo6/CVE-2024-23346 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-42964 – Exponential ReDoS in pymatgen leads to denial of service
https://notcve.org/view.php?id=CVE-2022-42964
09 Nov 2022 — An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method Se puede activar un ReDoS exponencial (Denegación de Servicio de Expresión Regular) en el paquete pymatgen PyPI, cuando un atacante puede proporcionar entradas arbitrarias al método GaussianInput.from_string • https://research.jfrog.com/vulnerabilities/pymatgen-redos-xray-257184 • CWE-1333: Inefficient Regular Expression Complexity •