CVE-2024-23346
Published: 21 February 2024
Summary
CVE-2024-23346 is a critical-severity Command Injection (CWE-77) vulnerability in Materialsvirtuallab Pymatgen. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Pymatgen, an open-source Python library for materials analysis, contains a critical vulnerability in the JonesFaithfulTransformation.from_transformation_str method prior to version 2024.2.20. The method passes untrusted input directly to eval, enabling arbitrary code execution during parsing of transformation strings and resulting in a CVSS 9.3 score under CWE-77.
An attacker able to supply a malicious transformation string to the affected method can achieve full code execution in the context of the calling application. Because the call requires no authentication or user interaction and crosses a security boundary, the flaw permits an adversary to compromise confidentiality, integrity, and availability on the host system.
The project advisory and patch commit c231cbd3d5147ee920a37b6ee9dd236b376bcf5a indicate that updating to pymatgen 2024.2.20 resolves the issue by removing the unsafe eval usage. The current and peak EPSS scores both stand at 0.5929 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0203
Vulnerability details
Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of…
more
arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.