Lucene search
K

Pandas DataFrame.query Code Injection (Unpatched)

🗓️ 17 Dec 2024 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 22 Views

Pandas DataFrame.query has unpatched code injection vulnerability allowing command execution.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(213084);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/10");

  script_cve_id("CVE-2024-9880");

  script_name(english:"Pandas DataFrame.query Code Injection (Unpatched)");

  script_set_attribute(attribute:"synopsis", value:
"The Pandas library installed on the remote host is affected by a code injection vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of the Pandas library installed on the remote host has an unpatched exposure. It is, therefore,
affected by a code injection vulnerability in the pandas.DataFrame.query function.  The function is 
intended to allow querying the columns of a DataFrame using a boolean expression. A malicious attacker
can constructs a malicious query to bypass input validation mechanisms and trigger a code injection vulnerability
which can lead to command execution if the code passes untrusted input into self.eval().

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://huntr.com/bounties/a49baae1-4652-4d6c-a179-313c21c41a8d");
  # https://github.com/pandas-dev/pandas/blob/v2.2.3/pandas/core/frame.py#L4823
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dbbeef33");
  # https://github.com/pandas-dev/pandas/blob/main/pandas/core/frame.py#L4612
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f363005e");
  script_set_attribute(attribute:"solution", value:
"This vulnerability is currently not fixed. Fix the code manually or monitor new releases for a fix.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-9880");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/12/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/12/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:pandas-dev:pandas");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Artificial Intelligence");

  script_copyright(english:"This script is Copyright (C) 2024-2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("python_packages_installed_nix.nbin", "python_packages_win_installed.nbin", "os_fingerprint.nasl");
  script_require_keys("global_settings/vendor_unpatched");
  script_require_ports("Host/nix/Python/Packages/Enumerated", "Host/win/Python/Packages/Enumerated");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");

include('python.inc');

var installs = [];

var pkg = 'pandas';

var libs = python::get_package_info(pkg_name:pkg);

if (empty_or_null(libs))
  audit(AUDIT_HOST_NOT, 'affected');

vcf::check_all_backporting(app_info:libs);

var report = 'These vulnerabilities remain unfixed and exist in the following locations:\n';

report += '\t Path: ' + libs.path;
report += '\n\t Version: ' + libs.version;
security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation