Lucene search

[email protected]NVD:CVE-2024-23752

HistoryJan 22, 2024 - 1:15 a.m.

CVE-2024-23752

2024-01-2201:15:08

CWE-862

[email protected]

web.nvd.nist.gov

pandasai

synthetic_dataframe

pipeline

cve-2024-23752

python code

sdfcodeexecutor

code execution

data frame

english language specification

vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.004

Percentile

75.2%

JSON

GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. An attacker can create a dataframe that provides an English language specification of this Python code. NOTE: the vendor previously attempted to restrict code execution in response to a separate issue, CVE-2023-39660.

Affected configurations

Nvd

Node

gabrieleventuripandasaiRange≤1.5.17python

VendorProductVersionCPE
gabrieleventuripandasai*cpe:2.3:a:gabrieleventuri:pandasai:*:*:*:*:*:python:*:*

Vendor	Product	Version	CPE
gabrieleventuri	pandasai	*	cpe:2.3:a:gabrieleventuri:pandasai::::::python::*

References

github.com/gventuri/pandas-ai/issues/868

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.004

Percentile

75.2%

JSON

Related for NVD:CVE-2024-23752

cvelist2 osv3 github2 prion2 cve2 nvd1 veracode2