Lucene search

GoogleOSV:GHSA-5G73-69P4-7GVX

HistoryJan 22, 2024 - 3:30 a.m.

Code execution in pandasai

2024-01-2203:30:26

Google

osv.dev

pandasai

synthetic dataframe

pipeline

code execution

sdfcodeexecutor

python code

attacker

cve-2023-39660

vendor.

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

High

EPSS

0.004

Percentile

75.2%

JSON

GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. An attacker can create a dataframe that provides an English language specification of this Python code. NOTE: the vendor previously attempted to restrict code execution in response to a separate issue, CVE-2023-39660.

References

github.com/gventuri/pandas-ai

github.com/gventuri/pandas-ai/issues/868

nvd.nist.gov/vuln/detail/CVE-2024-23752

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

High

EPSS

0.004

Percentile

75.2%

JSON

Related for OSV:GHSA-5G73-69P4-7GVX