CVE-2024-23346
pymatgen arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.
Pymatgen (Python Materials Genomics) es una librería Python de código abierto para análisis de materiales. Existe una vulnerabilidad de seguridad crítica en el método `JonesFaithfulTransformation.from_transformation_str()` dentro de la librería `pymatgen` antes de la versión 2024.2.20. Este método utiliza de forma insegura `eval()` para procesar la entrada, lo que permite la ejecución de código arbitrario al analizar entradas que no son de confianza. La versión 2024.2.20 soluciona este problema.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-01-15 CVE Reserved
- 2024-02-21 CVE Published
- 2024-02-22 EPSS Updated
- 2024-08-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108 | X_refsource_misc | |
https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a | X_refsource_misc | |
https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f | X_refsource_confirm |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
- | - | - | - | - |