CVE-2024-23346

pymatgen arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string

CVSS 9.4 CRITICALEPSS 3.8%CWE-77

Vexday Risk Score

48Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.4EPSS 3.8%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

21 Feb 2024Published on NVD

05 Nov 2024Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products

materialsproject · pymatgen

public PoCs found — 6

githubgithub.com/9carlo6/CVE-2024-23346★ 4 githubgithub.com/DAVIDAROCA27/CVE-2024-23346-exploit★ 4 githubgithub.com/Sanity-Archive/CVE-2024-23346★ 2 githubgithub.com/MAWK0235/CVE-2024-23346★ 0 githubgithub.com/szyth/CVE-2024-23346-rust-exploit★ 0 exploitdbwww.exploit-db.com/exploits/52205unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108 https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346