You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Through a Dependency Check Scan report it shows dependency issues with pandas 1.5.3 with Highest Severity: HIGH, CVE Count 1 and Evidence Count 3 and under identifiers it shows me pkg:pypi/[email protected] (Confidence:Highest).
But other than that there arent any details given about the vulnerability and how critical it is. A lot of my applications are using Pandas 1.5.3 and I need to know more details to see how critical it is for the applications. Could you please help me with this.
pandas through 1.0.3 can unserialize and execute commands from an untrusted file that is passed to the read_pickle() function, if reduce makes an os.system call. NOTE: third parties dispute this issue because the read_pickle() function is documented as unsafe and it is the user's responsibility to use the function in a secure manner
Could you please also tell me why is the same Pandas version under "Supressed Vulnerabilities" and how to kno if it is a false positive? Thanks in advance
The text was updated successfully, but these errors were encountered:
I do have an application, which runs pandas 2.2.1 and so far didnt get any vulnerability issue. Can anyone please confirm if CVE-2024-9880 is false positive?
Through a Dependency Check Scan report it shows dependency issues with pandas 1.5.3 with Highest Severity: HIGH, CVE Count 1 and Evidence Count 3 and under identifiers it shows me pkg:pypi/[email protected] (Confidence:Highest).
But other than that there arent any details given about the vulnerability and how critical it is. A lot of my applications are using Pandas 1.5.3 and I need to know more details to see how critical it is for the applications. Could you please help me with this.
Here are more details of the report:
pandas:1.5.3
CVE-2024-9880 (OSSINDEX) suppress
pandas - Code Injection
CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSSv2:
Base Score: HIGH (8.600000381469727)
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References:
OSSINDEX - [CVE-2024-9880] CWE-94: Improper Control of Generation of Code ('Code Injection')
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-9880
OSSIndex - https://huntr.com/bounties/a49baae1-4652-4d6c-a179-313c21c41a8d
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a::pandas:1.5.3:::::::
Suppressed Vulnerabilities
pandas:1.5.3
CVE-2020-13091 (OSSINDEX) suppressed
pandas through 1.0.3 can unserialize and execute commands from an untrusted file that is passed to the read_pickle() function, if reduce makes an os.system call. NOTE: third parties dispute this issue because the read_pickle() function is documented as unsafe and it is the user's responsibility to use the function in a secure manner
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-13091 for details
CWE-502 Deserialization of Untrusted Data
Notes: file name: pandas:1.4.1
CVSSv3:
CRITICAL (9.800000190734863)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
OSSINDEX - [CVE-2020-13091] CWE-502: Deserialization of Untrusted Data
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13091
OSSIndex - https://advisories.gitlab.com/advisory/advpypi_pandas_CVE_2020_13091.html
OSSIndex - https://www.tenable.com/cve/CVE-2020-13091
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a::pandas:1.5.3:::::::
Could you please also tell me why is the same Pandas version under "Supressed Vulnerabilities" and how to kno if it is a false positive? Thanks in advance
The text was updated successfully, but these errors were encountered: