Vulnerability Description
Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Materialsvirtuallab | Pymatgen | < 2024.2.20 |
Related Weaknesses (CWE)
References
- https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settiBroken Link
- https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9ddPatch
- https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-ExploitVendor Advisory
- https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settiBroken Link
- https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9ddPatch
- https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-ExploitVendor Advisory
- https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-librarExploitThird Party Advisory
FAQ
What is CVE-2024-23346?
CVE-2024-23346 is a vulnerability with a CVSS score of 9.3 (CRITICAL). Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` me...
How severe is CVE-2024-23346?
CVE-2024-23346 has been rated CRITICAL with a CVSS base score of 9.3/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-23346?
Check the references section above for vendor advisories and patch information. Affected products include: Materialsvirtuallab Pymatgen.