CVE-2024-9880

CVE-2024-9880

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

CVE-2024-9880

A flaw was found in pandas. This vulnerability allows an attacker to execute arbitrary commands on the server via a crafted query in the pandas.DataFrame.query function when using the 'python' engine.

GHSA-g3v3-r244-mhhm

A command injection vulnerability exists in the `pandas.DataFrame.query` function of pandas-dev/pandas versions up to and including v2.2.2. This vulnerability allows an attacker to execute arbitrary commands on the server by crafting a malicious query. The issue arises from the improper validation of user-supplied input in the `query` function when using the 'python' engine, leading to potential remote command execution.