CVE-2024-23752
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. An attacker can create a dataframe that provides an English language specification of this Python code. NOTE: the vendor previously attempted to restrict code execution in response to a separate issue, CVE-2023-39660.
GenerateSDFPipeline en Synthetic_dataframe en PandasAI (también conocido como pandas-ai) hasta 1.5.17 permite a los atacantes activar la generación de código Python arbitrario que es ejecutado por SDFCodeExecutor. Un atacante puede crear un marco de datos que proporcione una especificación en inglés de este código Python. NOTA: el proveedor intentó anteriormente restringir la ejecución del código en respuesta a un problema separado, CVE-2023-39660.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2024-01-22 CVE Reserved
- 2024-01-22 CVE Published
- 2024-01-30 EPSS Updated
- 2024-08-01 CVE Updated
- 2024-08-01 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-862: Missing Authorization
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://github.com/gventuri/pandas-ai/issues/868 | 2024-08-01 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Gabrieleventuri Search vendor "Gabrieleventuri" | Pandasai Search vendor "Gabrieleventuri" for product "Pandasai" | <= 1.5.17 Search vendor "Gabrieleventuri" for product "Pandasai" and version " <= 1.5.17" | python |
Affected
|