Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-5g73-69p4-7gvx

Опубликовано: 22 янв. 2024
Источник: github
Github: Прошло ревью
CVSS3: 9.8

Описание

Code execution in pandasai

GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. An attacker can create a dataframe that provides an English language specification of this Python code. NOTE: the vendor previously attempted to restrict code execution in response to a separate issue, CVE-2023-39660.

Ссылки

Пакеты

Наименование

pandasai

pip
Затронутые версииВерсия исправления

<= 1.5.17

Отсутствует

EPSS

Процентиль: 71%
0.00685
Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2024-23752

Дефекты

CWE-862
CWE-94

Связанные уязвимости

nvd логотип

CVE-2024-23752

CVSS3: 9.8
nvd
около 2 лет назад

GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. An attacker can create a dataframe that provides an English language specification of this Python code. NOTE: the vendor previously attempted to restrict code execution in response to a separate issue, CVE-2023-39660.

EPSS

Процентиль: 71%
0.00685
Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2024-23752

Дефекты

CWE-862
CWE-94