Lucene search

MitreCVE-2024-23752

HistoryJan 22, 2024 - 1:15 a.m.

CVE-2024-23752

2024-01-2201:15:08

CWE-862

mitre

web.nvd.nist.gov

cve

2024

23752

pandasai

python code

security issue

nvd

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.004

Percentile

75.2%

JSON

GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. An attacker can create a dataframe that provides an English language specification of this Python code. NOTE: the vendor previously attempted to restrict code execution in response to a separate issue, CVE-2023-39660.

Affected configurations

Nvd

Node

gabrieleventuripandasaiRange≤1.5.17python

VendorProductVersionCPE
gabrieleventuripandasai*cpe:2.3:a:gabrieleventuri:pandasai:*:*:*:*:*:python:*:*

Vendor	Product	Version	CPE
gabrieleventuri	pandasai	*	cpe:2.3:a:gabrieleventuri:pandasai::::::python::*

References

github.com/gventuri/pandas-ai/issues/868

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.004

Percentile

75.2%

JSON

Related for CVE-2024-23752