Lucene search

GitHub Advisory DatabaseGHSA-5G73-69P4-7GVX

HistoryJan 22, 2024 - 3:30 a.m.

Code execution in pandasai

2024-01-2203:30:26

CWE-94

CWE-862

GitHub Advisory Database

github.com

pandasai

code execution

sdfpipeline

sdfcodeexecutor

arbitrary python code

dataframe

security vulnerability

cve-2023-39660

vendor restriction

software

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

0.004

Percentile

75.2%

JSON

GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. An attacker can create a dataframe that provides an English language specification of this Python code. NOTE: the vendor previously attempted to restrict code execution in response to a separate issue, CVE-2023-39660.

Affected configurations

Vulners

Node

pandasaiRange≤1.5.17

VendorProductVersionCPE
*pandasai*cpe:2.3:a:*:pandasai:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	pandasai	*	cpe:2.3:a::pandasai::::::::*

References

github.com/advisories/GHSA-5g73-69p4-7gvx

github.com/gventuri/pandas-ai/issues/868

nvd.nist.gov/vuln/detail/CVE-2024-23752

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

0.004

Percentile

75.2%

JSON

Related for GHSA-5G73-69P4-7GVX