Arbitrary Code Execution Risk in Pymatgen Library from Python Materials Genomics
CVE-2024-23346

7.8HIGH

Key Information:

Vendor

Materialsproject

Status
Pymatgen
Vendor
CVE Published:
21 February 2024

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 32%

What is CVE-2024-23346?

A significant security issue has been identified in the Pymatgen library, which is designed for materials analysis. The vulnerability stems from the from_transformation_str() method, which mistakenly employs insecure input processing using eval(). This flaw creates a potential pathway for attackers to execute arbitrary code by providing untrusted input. Users of Pymatgen versions prior to 2024.2.20 are particularly at risk, as the library does not adequately sanitize input data, thus exposing systems to exploitation. It is crucial for users to upgrade to the latest version, 2024.2.20, where this vulnerability has been resolved.

Affected Version(s)

pymatgen < 2024.2.20

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-23346-rust-exploit
Created by szyth

CVE-2024-23346
Created by MAWK0235

References

https://github.com/materialsproject/pymatgen/security/adv...
x_refsource_CONFIRM
https://github.com/materialsproject/pymatgen/commit/c231c...
x_refsource_MISC
https://github.com/materialsproject/pymatgen/blob/master/...
x_refsource_MISC

EPSS Score

32% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-23346 : Arbitrary Code Execution Risk in Pymatgen Library from Python Materials Genomics