Vulnerabilites related to apache - pyarrow
Vulnerability from fkie_nvd
Published
2023-11-09 09:15
Modified
2025-02-13 18:15
Severity ?
Summary
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).
This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.
It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.
If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pyarrow:*:*:*:*:*:*:*:*", matchCriteriaId: "E539AE6F-78DA-44F9-8185-667567004968", versionEndIncluding: "14.0.0", versionStartIncluding: "0.14.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).\n\nThis vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.\n\nIt is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.\n\nIf it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.", }, { lang: "es", value: "La deserialización de datos que no son de confianza en lectores IPC y Parquet en las versiones de PyArrow 0.14.0 a 14.0.0 permite la ejecución de código arbitrario. Una aplicación es vulnerable si lee datos de Arrow IPC, Feather o Parquet de fuentes que no son de confianza (por ejemplo, archivos de entrada proporcionados por el usuario). Esta vulnerabilidad solo afecta a PyArrow, no a otras implementaciones o enlaces de Apache Arrow. Se recomienda que los usuarios de PyArrow actualicen a 14.0.1. De manera similar, se recomienda que las librerías posteriores actualicen sus requisitos de dependencia a PyArrow 14.0.1 o posterior. Los paquetes PyPI ya están disponibles y esperamos que los paquetes conda-forge lo estén pronto. Si no es posible actualizar, proporcionamos un paquete separado `pyarrow-hotfix` que desactiva la vulnerabilidad en versiones anteriores de PyArrow. Consulte https://pypi.org/project/pyarrow-hotfix/ para obtener instrucciones.", }, ], id: "CVE-2023-47248", lastModified: "2025-02-13T18:15:38.513", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-11-09T09:15:08.223", references: [ { source: "security@apache.org", tags: [ "Patch", ], url: "https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf", }, { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n", }, { source: "security@apache.org", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FR34AIPXVTMB3XPRU5ULV5HHWPMRE33X/", }, { source: "security@apache.org", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAGWEAJDWO2ACYATUQCPXLSYY5C3L3XU/", }, { source: "security@apache.org", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWFYXLVBTBHNKYRXI572RFX7IJDDQGBL/", }, { source: "security@apache.org", tags: [ "Product", ], url: "https://pypi.org/project/pyarrow-hotfix/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FR34AIPXVTMB3XPRU5ULV5HHWPMRE33X/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAGWEAJDWO2ACYATUQCPXLSYY5C3L3XU/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWFYXLVBTBHNKYRXI572RFX7IJDDQGBL/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://pypi.org/project/pyarrow-hotfix/", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "security@apache.org", type: "Primary", }, ], }
cve-2023-47248
Vulnerability from cvelistv5
Published
2023-11-09 08:17
Modified
2025-02-13 17:17
Severity ?
EPSS score ?
Summary
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).
This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.
It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.
If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Apache Software Foundation | PyArrow |
Version: 0.14.0 ≤ 14.0.0 |
||||||
|
|||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T21:09:35.873Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n", }, { tags: [ "patch", "x_transferred", ], url: "https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf", }, { tags: [ "mitigation", "x_transferred", ], url: "https://pypi.org/project/pyarrow-hotfix/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FR34AIPXVTMB3XPRU5ULV5HHWPMRE33X/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAGWEAJDWO2ACYATUQCPXLSYY5C3L3XU/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWFYXLVBTBHNKYRXI572RFX7IJDDQGBL/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://pypi.org/", defaultStatus: "unaffected", packageName: "pyarrow", product: "PyArrow", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "14.0.0", status: "affected", version: "0.14.0", versionType: "semver", }, ], }, { collectionURL: "https://conda-forge.org/", defaultStatus: "unaffected", packageName: "pyarrow", product: "PyArrow", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "14.0.0", status: "affected", version: "0.14.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Li Jiakun - laoquanshi", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<div>Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).</div><div><br></div><div>This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.<br></div><div><br></div><div>It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.<br></div><div><br></div><div>If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See <a target=\"_blank\" rel=\"nofollow\" href=\"https://pypi.org/project/pyarrow-hotfix/\">https://pypi.org/project/pyarrow-hotfix/</a> for instructions.<br></div><div><br></div>", }, ], value: "Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).\n\nThis vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.\n\nIt is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.\n\nIf it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.", }, ], metrics: [ { other: { content: { text: "critical", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-29T02:06:17.530Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n", }, { tags: [ "patch", ], url: "https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf", }, { tags: [ "mitigation", ], url: "https://pypi.org/project/pyarrow-hotfix/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FR34AIPXVTMB3XPRU5ULV5HHWPMRE33X/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAGWEAJDWO2ACYATUQCPXLSYY5C3L3XU/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWFYXLVBTBHNKYRXI572RFX7IJDDQGBL/", }, ], source: { discovery: "EXTERNAL", }, title: "PyArrow, PyArrow: Arbitrary code execution when loading a malicious data file", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-47248", datePublished: "2023-11-09T08:17:08.431Z", dateReserved: "2023-11-04T18:51:21.216Z", dateUpdated: "2025-02-13T17:17:56.649Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }