CVE-2024-23346 CRITICAL

CVE-2024-23346: pymatgen arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string

Vendor Materialsproject
Product pymatgen
Weakness CWE-77
Published February 21, 2024
Last update August 19, 2024

CVSS base score

9.4/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.

Key dates

02Disclosure timeline

February 21, 2024 CVE published
August 19, 2024 Record updated