Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency Check Report - Pandas 1.5.3 #7230

Open
aqua-coding opened this issue Dec 5, 2024 · 3 comments
Open

Dependency Check Report - Pandas 1.5.3 #7230

aqua-coding opened this issue Dec 5, 2024 · 3 comments
Labels

Comments

@aqua-coding
Copy link

Through a Dependency Check Scan report it shows dependency issues with pandas 1.5.3 with Highest Severity: HIGH, CVE Count 1 and Evidence Count 3 and under identifiers it shows me pkg:pypi/[email protected] (Confidence:Highest).

But other than that there arent any details given about the vulnerability and how critical it is. A lot of my applications are using Pandas 1.5.3 and I need to know more details to see how critical it is for the applications. Could you please help me with this.

Here are more details of the report:

  • Dependencies(vulnerable)
    pandas:1.5.3
    CVE-2024-9880 (OSSINDEX) suppress

pandas - Code Injection
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
Base Score: HIGH (8.600000381469727)
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References:
OSSINDEX - [CVE-2024-9880] CWE-94: Improper Control of Generation of Code ('Code Injection')
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-9880
OSSIndex - https://huntr.com/bounties/a49baae1-4652-4d6c-a179-313c21c41a8d
Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a::pandas:1.5.3:::::::

Suppressed Vulnerabilities

pandas:1.5.3
CVE-2020-13091 (OSSINDEX) suppressed

pandas through 1.0.3 can unserialize and execute commands from an untrusted file that is passed to the read_pickle() function, if reduce makes an os.system call. NOTE: third parties dispute this issue because the read_pickle() function is documented as unsafe and it is the user's responsibility to use the function in a secure manner

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-13091 for details
CWE-502 Deserialization of Untrusted Data

Notes: file name: pandas:1.4.1

CVSSv3:
CRITICAL (9.800000190734863)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
OSSINDEX - [CVE-2020-13091] CWE-502: Deserialization of Untrusted Data
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13091
OSSIndex - https://advisories.gitlab.com/advisory/advpypi_pandas_CVE_2020_13091.html
OSSIndex - https://www.tenable.com/cve/CVE-2020-13091
Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a::pandas:1.5.3:::::::

Could you please also tell me why is the same Pandas version under "Supressed Vulnerabilities" and how to kno if it is a false positive? Thanks in advance

@jeremylong
Copy link
Owner

Do you have a suppression file configured? It looks like you probably do - which is why this is listed in the suppressed section.

@kminoacn
Copy link

kminoacn commented Dec 9, 2024

Hello

The CVE-2024-9880 is present even in the latest version of Pandas. Has anyone figured out if this is a false positive?

@aqua-coding
Copy link
Author

aqua-coding commented Dec 9, 2024

I do have an application, which runs pandas 2.2.1 and so far didnt get any vulnerability issue. Can anyone please confirm if CVE-2024-9880 is false positive?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants