CVE-2024-23346: pymatgen vulnerable to arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string
(updated )
A critical security vulnerability exists in the JonesFaithfulTransformation.from_transformation_str() method within the pymatgen library. This method insecurely utilizes eval() for processing input, enabling execution of arbitrary code when parsing untrusted input. This can be exploited when parsing a maliciously-created CIF file.
References
- github.com/advisories/GHSA-vgv8-5cpj-qj2f
- github.com/materialsproject/pymatgen
- github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py
- github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a
- github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
- github.com/pypa/advisory-database/tree/main/vulns/pymatgen/PYSEC-2024-226.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-23346
- www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346
Code Behaviors & Features
Detect and mitigate CVE-2024-23346 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →