VDB

PYSEC-2023-238

PYSEC-2023-238 PUBLISHED CVSS 9.300000190734863 CRITICAL

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).

Risk Scores

CVSS 4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

VendorProductVersions
PyPIpyarrow10.0.0, 2.0.0, 0.14.0

Timeline

  • Nov 20, 2023 CVE Published
  • Nov 20, 2023 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›