CVE-2023-47248

2023-11-0909:15:08

Google

osv.dev

cve-2023-47248

pyarrow

vulnerability

code execution

ipc

parquet

upgrade

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.9%

JSON

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).

This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.

It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.

If it is not possible to upgrade, we provide a separate package pyarrow-hotfix that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.

CPENameOperatorVersion
arroweqapache-arrow-0.4.1
arroweqapache-arrow-2.0.0
arroweqapache-arrow-3.0.0
arroweqapache-arrow-0.8.0
arroweqapache-arrow-5.0.0.de
arroweqapache-arrow-11.0.0.de
arroweqapache-arrow-14.0.0.de
arroweqapache-arrow-0.12.0
arroweqapache-arrow-js-0.4.1
arroweqapache-arrow-1.0.0

Name	Operator	Version
arrow	eq	apache-arrow-0.4.1
arrow	eq	apache-arrow-2.0.0
arrow	eq	apache-arrow-3.0.0
arrow	eq	apache-arrow-0.8.0
arrow	eq	apache-arrow-5.0.0.de
arrow	eq	apache-arrow-11.0.0.de
arrow	eq	apache-arrow-14.0.0.de
arrow	eq	apache-arrow-0.12.0
arrow	eq	apache-arrow-js-0.4.1
arrow	eq	apache-arrow-1.0.0