VDB
PYSEC-2023-238
PYSEC-2023-238
PUBLISHED
CVSS 9.300000190734863 CRITICAL
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).
Risk Scores
CVSS 4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | pyarrow | 10.0.0, 2.0.0, 0.14.0 |
Timeline
- Nov 20, 2023 CVE Published
- Nov 20, 2023 CVE Updated
References
- https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n url
- https://www.openwall.com/lists/oss-security/2023/11/08/7 url
- https://github.com/advisories/GHSA-5wvp-7f3h-6wmm advisory
- https://www.cve.org/CVERecord?id=CVE-2023-47248 advisory
- https://pypi.org/project/pyarrow-hotfix/ patch
- https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf fix