CVE-2024-23346

pymatgen arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string

Severity Score

9.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.

Pymatgen (Python Materials Genomics) es una librería Python de código abierto para análisis de materiales. Existe una vulnerabilidad de seguridad crítica en el método `JonesFaithfulTransformation.from_transformation_str()` dentro de la librería `pymatgen` antes de la versión 2024.2.20. Este método utiliza de forma insegura `eval()` para procesar la entrada, lo que permite la ejecución de código arbitrario al analizar entradas que no son de confianza. La versión 2024.2.20 soluciona este problema.

William Khem-Marquez discovered that Pymatgen, a Python library for materials analysis, could be tricked into running arbitrary code if a malformed CIF file is processed.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-01-15 CVE Reserved
2024-02-21 CVE Published
2024-08-19 CVE Updated
2024-11-05 First Exploit
2025-02-06 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CAPEC

References (7)

URL	Tag	Source
https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108	X_refsource_misc
https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a	X_refsource_misc
https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f	X_refsource_confirm

URL	Date	SRC
https://github.com/9carlo6/CVE-2024-23346	2024-11-05
https://github.com/MAWK0235/CVE-2024-23346	2024-12-09
https://github.com/Sanity-Archive/CVE-2024-23346	2025-02-20
https://github.com/szyth/CVE-2024-23346-rust-exploit	2025-02-25

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Pymatgen Search vendor "Pymatgen"		Pymatgen Search vendor "Pymatgen" for product "Pymatgen"				*		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				*		-		Affected