Arbitrary Code Execution

2023-08-1704:01:49

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

arbitrary code execution

pandas-ai

vulnerability

privileges

root user

restricted environment

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

74.6%

JSON

pandasai is vulnerable to Arbitrary Code Execution. An attacker is able to exploit this vulnerability by sending a specially crafted request to the Pandas-AI server. This request would cause the server to execute arbitrary code with the privileges of the root user. The vulnerability exists in _is_jailbreak() function which is used to determine if the current user is running in a restricted environment. The flaw allows the attacker to bypass the restricted environment and execute arbitrary code.