CVE-2023-47248 - OpenCVE

Vendors	Products
Apache	Pyarrow

Link	Resource
https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf	Patch
https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FR34AIPXVTMB3XPRU5ULV5HHWPMRE33X/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAGWEAJDWO2ACYATUQCPXLSYY5C3L3XU/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWFYXLVBTBHNKYRXI572RFX7IJDDQGBL/
https://pypi.org/project/pyarrow-hotfix/	Product

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-47248", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-11-04T18:51:21.216Z", "datePublished": "2023-11-09T08:17:08.431Z", "dateUpdated": "2023-11-10T14:11:03.759Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.org/", "defaultStatus": "unaffected", "packageName": "pyarrow", "product": "PyArrow", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "14.0.0", "status": "affected", "version": "0.14.0", "versionType": "semver"}]}, {"collectionURL": "https://conda-forge.org/", "defaultStatus": "unaffected", "packageName": "pyarrow", "product": "PyArrow", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "14.0.0", "status": "affected", "version": "0.14.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Li Jiakun - laoquanshi"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).</div><div><br></div><div>This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.<br></div><div><br></div><div>It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.<br></div><div><br></div><div>If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See <a target=\"_blank\" rel=\"nofollow\" href=\"https://pypi.org/project/pyarrow-hotfix/\">https://pypi.org/project/pyarrow-hotfix/</a> for instructions.<br></div><div><br></div>"}], "value": "Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).\n\nThis vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.\n\nIt is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.\n\nIf it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.\n\n"}], "metrics": [{"other": {"content": {"text": "critical"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-11-10T14:11:03.759Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n"}, {"tags": ["patch"], "url": "https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf"}, {"tags": ["mitigation"], "url": "https://pypi.org/project/pyarrow-hotfix/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FR34AIPXVTMB3XPRU5ULV5HHWPMRE33X/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAGWEAJDWO2ACYATUQCPXLSYY5C3L3XU/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWFYXLVBTBHNKYRXI572RFX7IJDDQGBL/"}], "source": {"discovery": "EXTERNAL"}, "title": "PyArrow, PyArrow: Arbitrary code execution when loading a malicious data file", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:pyarrow:*:*:*:*:*:*:*:*", "matchCriteriaId": "E539AE6F-78DA-44F9-8185-667567004968", "versionEndIncluding": "14.0.0", "versionStartIncluding": "0.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).\n\nThis vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.\n\nIt is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.\n\nIf it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.\n\n"}, {"lang": "es", "value": "La deserializaci\u00f3n de datos que no son de confianza en lectores IPC y Parquet en las versiones de PyArrow 0.14.0 a 14.0.0 permite la ejecuci\u00f3n de c\u00f3digo arbitrario. Una aplicaci\u00f3n es vulnerable si lee datos de Arrow IPC, Feather o Parquet de fuentes que no son de confianza (por ejemplo, archivos de entrada proporcionados por el usuario). Esta vulnerabilidad solo afecta a PyArrow, no a otras implementaciones o enlaces de Apache Arrow. Se recomienda que los usuarios de PyArrow actualicen a 14.0.1. De manera similar, se recomienda que las librer\u00edas posteriores actualicen sus requisitos de dependencia a PyArrow 14.0.1 o posterior. Los paquetes PyPI ya est\u00e1n disponibles y esperamos que los paquetes conda-forge lo est\u00e9n pronto. Si no es posible actualizar, proporcionamos un paquete separado `pyarrow-hotfix` que desactiva la vulnerabilidad en versiones anteriores de PyArrow. Consulte https://pypi.org/project/pyarrow-hotfix/ para obtener instrucciones."}], "id": "CVE-2023-47248", "lastModified": "2023-11-29T03:15:42.547", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-09T09:15:08.223", "references": [{"source": "security@apache.org", "tags": ["Patch"], "url": "https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FR34AIPXVTMB3XPRU5ULV5HHWPMRE33X/"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAGWEAJDWO2ACYATUQCPXLSYY5C3L3XU/"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWFYXLVBTBHNKYRXI572RFX7IJDDQGBL/"}, {"source": "security@apache.org", "tags": ["Product"], "url": "https://pypi.org/project/pyarrow-hotfix/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Primary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

JSON object

JSON object

JSON object